CN108200053A - Record the method and device of APT attack operations - Google Patents

Record the method and device of APT attack operations Download PDF

Info

Publication number
CN108200053A
CN108200053A CN201711485306.0A CN201711485306A CN108200053A CN 108200053 A CN108200053 A CN 108200053A CN 201711485306 A CN201711485306 A CN 201711485306A CN 108200053 A CN108200053 A CN 108200053A
Authority
CN
China
Prior art keywords
apt
track datas
data
relevant
track
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711485306.0A
Other languages
Chinese (zh)
Other versions
CN108200053B (en
Inventor
王光辉
黄勇
童宁
徐业礼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Original Assignee
Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd filed Critical Chengdu Yaxin Network Security Industry Technology Research Institute Co Ltd
Priority to CN201711485306.0A priority Critical patent/CN108200053B/en
Publication of CN108200053A publication Critical patent/CN108200053A/en
Application granted granted Critical
Publication of CN108200053B publication Critical patent/CN108200053B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a kind of method and device for recording APT attack operations, is related to field of communication security, fully and effectively APT attack operations can be recorded, promote the safety of user data.This method includes:When process initiation, obtain and include attacking relevant User space data and kernel state data with APT with the relevant APT track datas of process, APT track datas;Record APT track datas.

Description

Record the method and device of APT attack operations
Technical field
This application involves field of communication security more particularly to a kind of method and devices for recording APT attack operations.
Background technology
Advanced duration threatens (Advanced Persistent Threat, APT) to refer to utilize certain technological means pair Specific objective carries out long duration network attack.Relative to other attack forms, the latent time of APT attacks is longer, steals Data volume bigger, the safety for leading to user data is relatively low.
It is invaded in common attacker, user can be by installing illegally entering for antivirus software intercept attack person It invades, still, in a kind of scene of APT attacks, attacker obtains particular terminal by collecting the partial data of particular terminal Then logging on authentication or login password steal the data needed for attacker by legal software with the logging on authentication obtained, In this scene, antivirus software can not effectively record the operation of legal software, also just can not back jump tracking particular terminal attacked The root hit also can not just be directed to attack and carry out corresponding defensive measure, cause Information Security relatively low.
Invention content
The application provides a kind of method and device for recording APT attack operations, can comprehensively record APT attack operation phases The data of pass promote the safety of data.
In order to achieve the above objectives, the application adopts the following technical scheme that:
In a first aspect, the application provides a kind of method for recording APT attack operations, the method includes:
When process initiation, obtain and include and institute with the relevant APT track datas of the process, the APT track datas It states APT and attacks relevant User space data and kernel state data;Record the APT track datas.
Second aspect, the application provide a kind of device for storing telecom number, which includes:Acquisition module and record mould Block.Wherein, acquisition module, for when process initiation, obtaining and the relevant APT track datas of the process, the APT tracks Data include attacking relevant User space data and kernel state data with the APT;Logging modle, for recording the APT rails Mark data.
The third aspect, the application provide a kind of device for storing telecom number, which includes:Processor, transceiver and Memory.Wherein, memory is used to store one or more programs.The one or more program includes computer executed instructions, When device is run, processor perform the memory storage the computer executed instructions so that device perform first aspect and In its various optional realization method it is one of arbitrary described in storage telecom number method.
Fourth aspect, the application provide a kind of computer readable storage medium, are stored in computer readable storage medium Instruction, when device performs the instruction, the device perform in above-mentioned first aspect and its various optional realization methods it is arbitrary it Storage telecom number method described in one.
With in the prior art, attacker to terminal carry out invasion scene in, antivirus software can not effectively record APT and attack The operation hit is compared, the application provide record APT attack operations method and device, when process initiation, using the process as Dimension obtains kernel state related to the process and relevant with APT attack operations and User space data, and records above-mentioned kernel State data and User space data.As it can be seen that when attacker calls the process in terminal to carry out APT attacks to terminal, and to terminal When carrying out illegal operation, in this application, the illegal operation of User space can either be recorded, and can be to the non-of kernel state Method operation is recorded, and can more comprehensively record the attack operation track of attacker, can be with so as in follow-up process Attack source is determined, and take corresponding defensive measure to APT attacks according to APT attack operations track, promotes the safety of data Property.
Description of the drawings
Fig. 1 is communication system architecture schematic diagram provided by the embodiments of the present application;
Fig. 2 is the composition schematic diagram of communication system provided by the embodiments of the present application;
Fig. 3 is the flow diagram of record APT attack operation methods provided by the embodiments of the present application;
Fig. 4 is the schematic diagram of event tree provided by the embodiments of the present application;
Fig. 5 is the structure diagram of record APT attack operation devices provided by the embodiments of the present application;
Fig. 6 is the structure diagram of record APT attack operation devices provided by the embodiments of the present application.
Specific embodiment
The method and device of record APT attack operations provided by the embodiments of the present application is carried out in detail below in conjunction with the accompanying drawings Description.
The terms "and/or", only a kind of incidence relation for describing affiliated partner, expression may have three kinds of passes System, for example, A and/or B, can represent:Individualism A exists simultaneously A and B, these three situations of individualism B.
In addition, the term " comprising " and " having " being previously mentioned in the description of the present application and their any deformation, it is intended that It is to cover non-exclusive include.Such as process, method, system, product or the equipment for containing series of steps or unit do not have The step of having listed or unit are defined in, but optionally further includes the step of other are not listed or unit or optionally It further includes for the intrinsic other steps of these processes, method, product or equipment or unit.
It should be noted that in the embodiment of the present application, " illustrative " or " such as " etc. words for representing to make example, example Card or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or designing scheme should It is interpreted than other embodiments or designing scheme more preferably or more advantage.Specifically, " illustrative " or " example are used Such as " word is intended to that related notion is presented in specific ways.
In the description of the present application, unless otherwise indicated, the meaning of " multiple " refers to two or more.
The method of record APT attack operations provided by the embodiments of the present application can be applied in communication network shown in FIG. 1. As shown in Figure 1, the communication network can include:Terminal and server-side.Wherein, the terminal setting User space hook program in Fig. 1 With kernel state hook program, User space hook program obtains the APT track datas of User space, and kernel state hook program obtains kernel The APT track datas of state;Server-side obtains the APT track datas in each terminal, and carries out APT according to APT track datas and trace back The attack pattern of attacker so that it is determined that initiating the equipment of APT attacks, and is grasped, in order to subsequently APT be prevented to attack in source.
It should be noted that Fig. 1 is merely illustrative Organization Chart, in addition to functional unit shown in Fig. 1, the network architecture is also It can include other functional units, the embodiment of the present application is to this without limiting.
Above-mentioned terminal can be user equipment (user equipment, UE), such as:Mobile phone, computer can also be honeycomb electricity Words, wireless phone, Session initiation Protocol (session initiation protocol, SIP) phone, smart phone, a number Word assistant (personal digital assistant, PDA), laptop computer, hand-held communication device, hand-held calculate Equipment etc..
Fig. 2 is the composition schematic diagram of communication system provided by the embodiments of the present application.Referring to Fig. 2, the service in communication system End includes communication interface and server-side interface 2001, and user is inputted by server-side interface 2001 and instructed, and instruction is connect by communication Mouth 2002 is issued to terminal.Condition code can also be issued in terminal by server-side by communication interface 2002, and this feature code is used APT attacks are found in matching.Server-side can also issue APT Management strategies by communication interface 2002 to terminal, and APT administers plan Slightly attacked for subsequently prevention APT.
Wherein, attacker calls terminal processes to perform some illegal operations, when process 2101 in terminal by remote control During startup, kernel behavior callback interface 2203 is sent out respectively to User space hook manager 2201 and kernel state hook manager 2202 Process creation is sent to notify so that User space hook manager 2201 sets User space hook program, kernel state hook for the process Manager 2202 sets kernel state hook program for the process.Later, the APT tracks number of User space hook program acquisition User space According to, and data are reported to User space hook manager 2201, User space hook manager 2201 makes the type of the data Judge, if the data type reported belongs to the data type included in white list, User space hook manager 2201 is logical It crosses communication interface 2204 and sends the data to data record unit 2106, which is stored in by the data record unit 2106 In database.Similarly, kernel state hook program can also be by communication interface 2204 into the transmission of data record unit 2106 Core state
APT track datas.
It threatens after finding that engine 2105 gets the condition code that server-side issues, the APT rails stored in scan database Mark data, however, it is determined that condition code and the characteristic matching of the APT track datas of storage, it is determined that APT track datas are attacked from APT The person of hitting.
After threatening and finding that engine 2105 determines that the terminal is attacked by APT, threaten find engine 2105 to It administers engine 2103 and sends notice, further prevented with the APT Management strategies that instruction improvement engine 2103 is issued according to server-side APT is attacked.
The embodiment of the present application provides a kind of method for recording APT attack operations, as shown in figure 3, this method can include S301-S304:
S301, when process initiation, terminal obtain with the relevant APT track datas of process.
Wherein, APT track datas include attacking relevant User space data and kernel state data with APT.
When attacker is by remote control, start the process in terminal come when realizing illegal operation, the kernel behavior in Fig. 2 Callback interface 2203 monitors process initiation, and the User space hook manager 2201 into terminal sends process creation notice, To indicate that User space hook manager 2201 sets User space hook program, similarly, kernel behavior callback interface for the process 2203 send process creation notice to kernel state hook manager 2202, to indicate that kernel state hook manager 2202 is set for process Put kernel state hook program.
Specifically, in S301, the APT track datas of the relevant User space of the process are obtained by User space hook program, by Kernel state hook program obtains the APT track datas of the relevant kernel state of process.For example, attacker calls the process 1 in terminal, Then by calling the process 1, attacker has accessed the file 1 in terminal, then the APT tracks number that kernel state hook program obtains According to the file identification that can be attacker's access, i.e. file 1, the APT track datas that User space hook program obtains can be to attack The device network interconnection agreement (Internet Protocol, IP) that the person of hitting uses.
Wherein, kernel state hook program obtains master data, and master data includes but is not limited to file operation related data, User space hook program obtains other data except master data.For example, when attacker carries out long-range APT attacks, attack Person is remotely read in user terminal by equipment and (in order to describe simplicity, will suffer from the validated user of APT attacks below with user Referred to as user) the relevant file 1 of identity and working document relevant with user's position 2, then kernel state hook program obtain it In the relevant operation data of file, that is, get the read file identification of attacker, file 1 and file 2, User space hook Program can obtain the address information of attacker's equipment and local transmission control protocol (Transmission Control Protocol, TCP) connection data.The type of master data listed above is only to illustrate, and the type of specific master data can It is set according to practical application scene, the embodiment of the present application is not limited this.
It is worth noting that, in the prior art, it is generally the case that kernel state is very sensitive, if operating in the journey of kernel state When sequence is more or program in kernel state is pending event, message are more, it is likely that operating system can be caused to collapse. In view of this work characteristics of kernel state, in the embodiment of the present application, it is operated in the kernel state hook program of kernel state only For obtaining master data, the realization method of kernel state hook program is simplified, mitigates kernel state when it runs in kernel mode inside Pressure, and then reduce the complex logic operation of kernel state and the process of parameter acquiring so that operating system is smooth, is promoted The performance of terminal.
S302, terminal record APT track datas.
Specifically, S302 can be implemented as:
S3021, terminal judge whether the APT track datas obtained are preset kind data, preset kind data include with It is any one of lower or multinomial:The relevant data of file operation, the relevant data of registration table, the relevant data of TCP connection and domain name system System (Domain Name System, DNS) inquires relevant data;If so, perform S3022.
Wherein, TCP connection related data and DNS query related data are used to trace the address of attacker.
S3022, terminal record APT track datas.
It is emphasized that since the APT track datas that User space hook program and kernel state hook program obtain are more, And wherein there are the smaller data of the degree of association attacked with APT, for example, User space hook program is got in this APT attacks, The relevant data of local TCP connection in terminal, since local TCP connection is usually unrelated with APT attacks, so, it can not be to phase Data are closed to be stored.Based on this, white list can be set, the data type in white list includes registration table in terminal Related data, file operation related data, the addressing related data of attacker, the account of attacker, the relevant data of TCP connection With DNS query related data etc., and the data of listed type and the degree of association that APT is attacked are larger in white list.With reference to The example above, it is assumed that the APT track datas that terminal is got include:The relevant data of file read-write, the address information of attacker With the data of local TCP connection, since the data of local TCP connection are not the preset kind data that are included in white list, Illustrate the smaller data and the degree of association that APT is attacked or the data and APT attacks and onrelevant, i.e., it can not by the data It completes APT to trace to the source, therefore, in order to mitigate the storage burden of terminal, it is related that terminal only stores file read-write in above-mentioned acquisition data Data and attacker network address information.
Wherein, terminal stores APT track datas into database.Or in order to promote the read-write of APT track datas speed Degree, terminal stores APT track datas using caching technology, for example, remote date transmission (Remote may be used in terminal Dictionary Server, Redis) caching technology storage APT track datas.
Specifically, for the execution flow of S302 referring to Fig. 2, User space hook program intercepts long-range attack person (i.e. attacker) APT track datas after, to User space hook manager 2201 send intercept APT track datas, by User space hook pipe Reason device 2201 judges whether APT track datas are the preset kind data included in white list, if so, User space hook Manager 2201 sends the APT track datas, then by data records list by communication interface 2204 to data record unit 2106 Member 2106 stores the APT track datas.Similarly, the APT track datas of kernel state can also be held by data record unit 2106 The above-mentioned storage operation of row.
Optionally, above-mentioned S3022, record APT track datas can be implemented as:
APT track datas are converted into the data of event tree format by S3022a, terminal.
In attacker opens scene of the terminal processes to attack terminal by remote operation, if exist in terminal threaten into The reason of journey, then terminal can cause to threaten by searching for the parent process of the process of threat to trace to the source, that is, event tree mode is taken Record leads to the chain threatened, as shown in figure 4, the upper level parent process that terminal finds out process a.vbs and Auto run is The reason of parent process of a.exe, a.exe are svsHost, then svsHost can be determined as causing to threaten by terminal for the time being, goes forward side by side Row is further to threaten reason to determine to operate.
The APT track datas of S3022b, terminal record event tree format.
Record the APT track datas of event tree format as shown in Figure 4.
In the embodiment of the present application, server-side sends the condition code for matching APT attacks to terminal in advance, when in terminal It is stored with after above-mentioned APT track datas, terminal obtains the condition code of APT track datas, if condition code includes default feature Code then sends alarm information to server-side, wherein, alarm information carries APT track datas.Wherein, it is APT to preset condition code The characteristic behavior code that attack operation has.For example, if in a kind of APT attacks, the process A in terminal is usually called to hold Row file read-write operations, then can be using calling process A as default condition code.It is understood that as the spy of APT track datas When levying code comprising default condition code, illustrate that the remote operation corresponding to APT track datas also has invoked process A, at this point, terminal is temporary And using the corresponding remote operation of APT track datas as operation is threatened, and alarm information is sent to server-side, so that server-side Further determine that whether the remote operation is APT attack operations.
In the embodiment of the present application, server-side can also actively initiate inquiry instruction, and terminal responds the inquiry instruction, and inquiry is worked as The APT track datas of preceding storage, and corresponding feedback is sent to server-side, so that server-side determines the initiation in APT attacks Method, apparatus and APT attack patterns specifically, can perform S303 and S304.
S303, terminal receive the inquiry instruction of server-side, and inquiry instruction carries the attribute information of APT attacks.
It is assumed that when initial, terminal 1 of the server-side into such as Fig. 1 sends APT inquiry instructions in enterprise, and terminal 1 is to server-side APT track datas are fed back, which indicates certain equipment by remote operation login account 1, and accesses the user stored in terminal 1 Identification document and user job file.After this, equipment is by more than 1 Telnet terminal 1 of account, also, uses account 1 The device address of registration terminal 1 is not the commonly used equipment address of the enterprise, this explanation is likely to attacker and steals and use The legal account 1 of user, in this scene, server-side is for the time being using account 1 as abnormal account.
It is understood that the mode of above-mentioned determining abnormal account is only to illustrate, the specific mode for determining abnormal account It can be set according to practical application scene, the embodiment of the present application is not limited this.
After determining exception account 1, server-side can send inquiry instruction to the other-end in enterprise, wherein, inquiry Instruction includes the attribute information of APT attackers.Optionally, which can be above-mentioned abnormal account 1.
S304, terminal if it is determined that in the presence of with the relevant APT track datas of attribute information, then to server-side send with attribute believe Relevant APT track datas are ceased, so that server-side determines that initiating APT attacks according to the relevant APT track datas of attribute information The equipment hit
It is assumed that in system as shown in Figure 1, terminal 1 to terminal 5 the inquiry instruction for receiving server-side transmission it Afterwards, terminal 1 determines that exception account 1 once accessed itself, then terminal 1 is sent out to server-side by inquiring the APT track datas stored It send and the relevant APT track datas of abnormal account;Terminal 2 determines exception account 1 not by inquiring the APT track datas stored Itself was accessed, then terminal 2 can not make a response the inquiry instruction;The APT track datas that terminal 3 is stored by inquiry, Determine that exception account 1 once accessed itself, then terminal 3 is sent and the relevant APT track datas of abnormal account to server-side;Terminal 4, by inquiring the APT track datas stored, determine that exception account 1 has not visited itself, then terminal 4 can be to the inquiry instruction It does not make a response;Terminal 5 determines that exception account 1 has not visited itself, then terminal 5 can by inquiring the APT track datas stored Not made a response to the inquiry instruction.
Server-side receives the APT track datas of terminal 1, terminal 3, the abnormal account 1 of APT track datas instruction of terminal 1 Once terminal 1 is accessed, and abnormal account 1 has read the bank data file of terminal 1, the login IP of abnormal account 1 is 192.168.1.23;The abnormal account 1 of APT track datas instruction of terminal 3 once accesses terminal 3, and abnormal account 1 equally has read The bank data file of terminal 3, the login IP of abnormal account 1 is 192.168.1.23.So server-side is according to terminal 1, terminal 3 APT track datas determine that under fire terminal is terminal 1 and terminal 3, and the operation that attacker performs is reads bank data text Part, and attacker's device IP is 192.168.1.23.So far, server-side determines the firing area of APT attacks, i.e. 1 He of terminal Terminal 3, the attack means of APT attacks, that is, read bank data file and attacker's device IP, i.e. 192.168.1.23.
It traces to the source it is understood that performing above-mentioned APT in server-side, that is, determines the firing area of attacker, attacker Before the flow of attack means and attacker's device IP, server-side can issue interception or place by communication interface 2002 to terminal Manage the APT Management strategies of APT attacks.And then trace to the source completing APT, that is, find under fire terminal and APT attack means it Afterwards, server-side can intercept according to APT Management strategies and handle APT attacks.Specifically, server-side by communication interface 2002 to The improvement engine 2103 of terminal issues APT Management strategies, then APT Management strategies are issued to User space hook by improvement engine 2103 Subprogram, kernel state hook program, User space hook manager 2201 and kernel state hook manager 2202.And then in terminal User space hook program, kernel state hook program, User space hook manager 2201,2202 basis of kernel state hook manager APT Management strategies cut off the connection with attacker or take other modes that further APT is prevented to attack.
With in the prior art, attacker to terminal carry out invasion scene in, antivirus software can not effectively record APT and attack The operation hit is compared, the application provide record APT attack operations method and device, when process initiation, using the process as Dimension obtains kernel state related to the process and relevant with APT attack operations and User space data, and records above-mentioned kernel State data and User space data.As it can be seen that when attacker calls the process in terminal to carry out APT attacks to terminal, and to terminal When carrying out illegal operation, in this application, the illegal operation of User space can either be recorded, and can be to the non-of kernel state Method operation is recorded, and can more comprehensively record the attack operation track of attacker, can be with so as in follow-up process Attack source is determined, and take corresponding defensive measure to APT attacks according to APT attack operations track, promotes the safety of data Property.
The method of the embodiment of the present application is illustrated below in conjunction with concrete application scene.
In an APT is attacked, attacker obtains the account of enterprise staff, and penetrates into the Intranet of enterprise, later, Attacker performs long-range strike order, and steal the data of enterprise by the legal account of acquisition.With reference to above-mentioned determining exception The method of account when server-side finds to have abnormal account, can send inquiry instruction to each terminal, pass through each terminal The APT track datas of feedback, server-side can determine the terminal that abnormal account accessed, and determine which abnormal account accessed Terminal, abnormal account access which content of terminal and the login IP of abnormal account, and then obtain the attack of entire APT attacks Track.
The embodiment of the present application can carry out function module or functional unit according to above method example to above device It divides, for example, can correspond to each function divides each function module or functional unit, it can also be by two or more Function be integrated in a processing module.The form that hardware had both may be used in above-mentioned integrated module is realized, can also be used The form of software function module or functional unit is realized.Wherein, it is to the division of module or unit in the embodiment of the present application Schematically, only a kind of division of logic function, can there is other dividing mode in actual implementation.
Fig. 5 shows a kind of possible structure diagram of device involved in above-described embodiment.The device 50 includes Receiving module 501, sending module 502, acquisition module 503, judgment module 504 and logging modle 505.
Wherein, acquisition module 503, for when process initiation, obtaining and the relevant APT track datas of process, APT tracks Data include attacking relevant User space data and kernel state data with APT;
Logging modle 505, for recording APT track datas.
In another realization method of the embodiment of the present application, judgment module 504 is additionally operable to the APT tracks for judging to obtain Whether data are preset kind data, and preset kind data include any one of following or multinomial:The relevant data of file operation, note The relevant data of volume table, the relevant data of TCP connection and the relevant data of DNS query;
Logging modle 505, be additionally operable to if it is determined that the APT track datas obtained be preset kind data, then record APT tracks Data.
In another realization method of the embodiment of the present application, logging modle 505, specifically for APT track datas are turned Turn to the data of event tree format;The APT track datas of record event tree format.
In another realization method of the embodiment of the present application, acquisition module 503 is additionally operable to obtain APT track datas Condition code;
Sending module 502 if including default condition code for condition code, sends alarm information, alarm disappears to server-side Breath carries APT track datas.
In another realization method of the embodiment of the present application, receiving module 501, the inquiry for receiving server-side refers to It enables, inquiry instruction carries the attribute information of APT attacks;
Sending module 502, be additionally operable to if it is determined that in the presence of with the relevant APT track datas of attribute information, then to server-side send out Send with the relevant APT track datas of attribute information so that server-side is determined according to the relevant APT track datas of attribute information The equipment for initiating APT attacks.
With in the prior art, attacker to terminal carry out invasion scene in, antivirus software can not effectively record APT and attack The operation hit is compared, and the device of record APT attack operations that the application provides when process initiation, using the process as dimension, obtains Kernel state related to the process and relevant with APT attack operations and User space data are taken, and record above-mentioned kernel state data With User space data.As it can be seen that when attacker calls the process in terminal to carry out APT attacks to terminal, and terminal is carried out non- When method operates, in this application, the illegal operation of User space can either be recorded, and can be to the illegal operation of kernel state It is recorded, can more comprehensively record the attack operation track of attacker, thus in follow-up process, it can basis APT attack operations track determines attack source, and takes corresponding defensive measure to APT attacks, promotes the safety of data.
Fig. 6 shows another possible structure diagram of device involved in above-described embodiment.The device 60 wraps It includes:Processing unit 602 and communication unit 603.Processing unit 602 to the action of device for carrying out control management, for example, performing The step of above-mentioned acquisition module 503, judgment module 504 and logging modle 505 perform and/or described herein for performing Other processes of technology.Communication unit 603 is used to support the communication of device 60 and other network entities, for example, performing above-mentioned connect The step of receiving module 501, the execution of sending module 502.Device 60 can also include storage unit 601 and bus 604, storage unit 601 are used for the program code and data of storage device 60.
Wherein, above-mentioned processing unit 602 can be the processor or controller in device 60, and the processor or controller can To realize or perform with reference to the described various illustrative logic blocks of present disclosure, module and circuit.The processing Device or controller can be central processing units, general processor, digital signal processor (Digital Signal Processing, DSP), application-specific integrated circuit, field programmable gate array or other programmable logic device, transistor are patrolled Collect device, hardware component or its arbitrary combination.It can realize or perform described various with reference to present disclosure Illustrative logic block, module and circuit.Processor can also be the combination for realizing computing function, such as include one or more Combination of a micro processor combination, DSP and microprocessor etc..
Communication unit 603 can be transceiver, transmission circuit or communication interface in device 60 etc..
Storage unit 601 can be memory in device 60 etc., which can include volatile memory, such as Random access memory;The memory can also include nonvolatile memory, such as read-only memory, flash memory, firmly Disk or solid state disk;The memory can also include the combination of the memory of mentioned kind.
Bus 604 can be expanding the industrial standard structure (Extended Industry Standard Architecture, EISA) bus etc..Bus 604 can be divided into address bus, data/address bus, controlling bus etc..For ease of table Show, only represented in Fig. 6 with a thick line, it is not intended that an only bus or a type of bus.
Through the above description of the embodiments, it is apparent to those skilled in the art that, for description It is convenienct and succinct, it, can as needed will be upper only with the division progress of above-mentioned each function module for example, in practical application It states function distribution to be completed by different function modules, i.e., the internal structure of device is divided into different function modules, to complete All or part of function described above.The specific work process of the system, apparatus, and unit of foregoing description, before can referring to The corresponding process in embodiment of the method is stated, details are not described herein.
The embodiment of the present application also provides a kind of computer readable storage medium, and finger is stored in computer readable storage medium It enables, when above device performs the instruction, device performs in the method flow shown in device execution above method embodiment Each step.
Wherein, computer readable storage medium, such as electricity, magnetic, optical, electromagnetic, infrared ray can be but not limited to or partly led System, device or the device of body or arbitrary above combination.The more specific example of computer readable storage medium is (non-poor The list of act) include:Electrical connection, portable computer diskette with one or more conducting wires, hard disk, random access memory (Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM), erasable type may be programmed read-only It is memory (Erasable Programmable Read Only Memory, EPROM), register, hard disk, optical fiber, portable Compact disc read-only memory (Compact Disc Read-Only Memory, CD-ROM), light storage device, magnetic memory Part or the computer readable storage medium of above-mentioned any appropriate combination or any other form well known in the art. A kind of illustrative storage medium is coupled to processor, so as to enable a processor to from the read information, and can be to Information is written in the storage medium.Certainly, storage medium can also be the component part of processor.Pocessor and storage media can be with In application-specific IC (Application Specific Integrated Circuit, ASIC).In the application In embodiment, computer readable storage medium can be any tangible medium for including or storing program, which can be referred to Enable the either device use or in connection of execution system, device.
The specific embodiment of the above, only the application, but the protection domain of the application is not limited thereto, it is any The change or replacement in technical scope disclosed in the application, should all cover within the protection domain of the application.Therefore, this Shen Protection domain please should be subject to the protection scope in claims.

Claims (10)

  1. A kind of 1. method for recording advanced duration and threatening APT attack operations, which is characterized in that including:
    When process initiation, obtain and include and the APT with the relevant APT track datas of the process, the APT track datas Attack relevant User space data and kernel state data;
    Record the APT track datas.
  2. 2. according to the method described in claim 1, it is characterized in that, obtain with the relevant APT track datas of the process it Afterwards, the method further includes:
    Whether the APT track datas for judging to obtain are preset kind data, and the preset kind data include following any Item is multinomial:The relevant data of file operation, the relevant data of registration table, transmission control protocol TCP connect relevant data and Domain name system DNS inquires relevant data;
    If so, record the APT track datas.
  3. 3. method according to claim 1 or 2, which is characterized in that it is described to record the APT track datas, including:
    The APT track datas are converted into the data of event tree format;
    The APT track datas of record event tree format.
  4. 4. according to the method described in claim 1, it is characterized in that, it is described record the APT track datas after, the side Method further includes:
    Obtain the condition code of the APT track datas;
    If described document information includes default condition code, alarm information is sent to server-side, the alarm information carries described APT track datas.
  5. 5. according to the method described in claim 1, it is characterized in that, after the APT track datas are recorded, the method is also Including:
    The inquiry instruction of the server-side is received, the inquiry instruction carries the attribute information of the APT attacks;
    If it is determined that in the presence of with the relevant APT track datas of the attribute information, then sent to the server-side described with the category The property relevant APT track datas of information, so that the server-side is according to true with the relevant APT track datas of the attribute information Surely the equipment for initiating the APT attacks.
  6. 6. a kind of device for recording APT attack operations, which is characterized in that including:
    Acquisition module, for when process initiation, obtaining and the relevant APT track datas of the process, the APT track datas Including attacking relevant User space data and kernel state data with the APT;
    Logging modle, for recording the APT track datas.
  7. 7. device according to claim 6, which is characterized in that described device further includes judgment module;
    The judgment module, whether the APT track datas for being additionally operable to judge to obtain are preset kind data, the default class Type data include any one of following or multinomial:The relevant data of file operation, the relevant data of registration table, TCP connection are relevant Data and the relevant data of DNS query;
    The logging modle is additionally operable to if it is determined that the APT track datas obtained are preset kind data, then described in record APT track datas.
  8. 8. the device described according to claim 6 or 7, which is characterized in that the logging modle, specifically for by the APT rails Mark data are converted into the data of event tree format;The APT track datas of record event tree format.
  9. 9. device according to claim 6, which is characterized in that described device further includes sending module;
    The acquisition module is additionally operable to obtain the condition code of the APT track datas;
    If including default condition code for described document information, alarm information, the announcement are sent to server-side for the sending module Alert message carries the APT track datas.
  10. 10. device according to claim 6, which is characterized in that described device further includes receiving module;
    The receiving module, for receiving the inquiry instruction of the server-side, the inquiry instruction carries the category of the APT attacks Property information;
    The sending module, be additionally operable to if it is determined that in the presence of with the relevant APT track datas of the attribute information, then to the service End send it is described with the relevant APT track datas of the attribute information so that the server-side according to the attribute information Relevant APT track datas determine the equipment for initiating the APT attacks.
CN201711485306.0A 2017-12-30 2017-12-30 Method and device for recording APT attack operation Active CN108200053B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711485306.0A CN108200053B (en) 2017-12-30 2017-12-30 Method and device for recording APT attack operation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711485306.0A CN108200053B (en) 2017-12-30 2017-12-30 Method and device for recording APT attack operation

Publications (2)

Publication Number Publication Date
CN108200053A true CN108200053A (en) 2018-06-22
CN108200053B CN108200053B (en) 2021-05-14

Family

ID=62586777

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711485306.0A Active CN108200053B (en) 2017-12-30 2017-12-30 Method and device for recording APT attack operation

Country Status (1)

Country Link
CN (1) CN108200053B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111181918A (en) * 2019-11-29 2020-05-19 杭州安恒信息技术股份有限公司 TTP-based high-risk asset discovery and network attack tracing method
CN111294351A (en) * 2020-01-26 2020-06-16 重庆邮电大学 Security identification method for network attack
CN112307469A (en) * 2019-07-29 2021-02-02 北京奇虎科技有限公司 Kernel intrusion prevention method and device, computing equipment and computer storage medium
CN112307470A (en) * 2019-07-29 2021-02-02 北京奇虎科技有限公司 Method and device for detecting intrusion kernel, computing equipment and computer storage medium
CN112398786A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Penetration attack identification method, device, system, storage medium and electronic device
CN112699369A (en) * 2021-01-12 2021-04-23 安芯网盾(北京)科技有限公司 Method and device for detecting abnormal login through stack backtracking
CN113395287A (en) * 2021-06-22 2021-09-14 杭州默安科技有限公司 Method and system for recording network attack IP and command execution echo

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594625A (en) * 2012-03-07 2012-07-18 北京启明星辰信息技术股份有限公司 White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform
CN103716289A (en) * 2012-10-08 2014-04-09 江苏中科慧创信息安全技术有限公司 Attack control method for protecting service system
CN104283889A (en) * 2014-10-20 2015-01-14 国网重庆市电力公司电力科学研究院 Electric power system interior APT attack detection and pre-warning system based on network architecture
CN104598824A (en) * 2015-01-28 2015-05-06 国家计算机网络与信息安全管理中心 Method and device for detecting malicious programs
US20160117498A1 (en) * 2014-10-25 2016-04-28 Intel Corporation Computing platform security methods and apparatus
CN106909847A (en) * 2017-02-17 2017-06-30 国家计算机网络与信息安全管理中心 A kind of method of Malicious Code Detection, apparatus and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594625A (en) * 2012-03-07 2012-07-18 北京启明星辰信息技术股份有限公司 White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform
CN103716289A (en) * 2012-10-08 2014-04-09 江苏中科慧创信息安全技术有限公司 Attack control method for protecting service system
CN104283889A (en) * 2014-10-20 2015-01-14 国网重庆市电力公司电力科学研究院 Electric power system interior APT attack detection and pre-warning system based on network architecture
US20160117498A1 (en) * 2014-10-25 2016-04-28 Intel Corporation Computing platform security methods and apparatus
CN104598824A (en) * 2015-01-28 2015-05-06 国家计算机网络与信息安全管理中心 Method and device for detecting malicious programs
CN106909847A (en) * 2017-02-17 2017-06-30 国家计算机网络与信息安全管理中心 A kind of method of Malicious Code Detection, apparatus and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
闫张浩: "提高防御APT攻击性能的入侵检测系统的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112307469A (en) * 2019-07-29 2021-02-02 北京奇虎科技有限公司 Kernel intrusion prevention method and device, computing equipment and computer storage medium
CN112307470A (en) * 2019-07-29 2021-02-02 北京奇虎科技有限公司 Method and device for detecting intrusion kernel, computing equipment and computer storage medium
CN112398786A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 Penetration attack identification method, device, system, storage medium and electronic device
CN112398786B (en) * 2019-08-15 2023-08-15 奇安信安全技术(珠海)有限公司 Method and device for identifying penetration attack, system, storage medium and electronic device
CN111181918A (en) * 2019-11-29 2020-05-19 杭州安恒信息技术股份有限公司 TTP-based high-risk asset discovery and network attack tracing method
CN111181918B (en) * 2019-11-29 2021-11-16 杭州安恒信息技术股份有限公司 TTP-based high-risk asset discovery and network attack tracing method
CN111294351A (en) * 2020-01-26 2020-06-16 重庆邮电大学 Security identification method for network attack
CN112699369A (en) * 2021-01-12 2021-04-23 安芯网盾(北京)科技有限公司 Method and device for detecting abnormal login through stack backtracking
CN113395287A (en) * 2021-06-22 2021-09-14 杭州默安科技有限公司 Method and system for recording network attack IP and command execution echo
CN113395287B (en) * 2021-06-22 2022-06-28 杭州默安科技有限公司 Method and system for recording network attack IP and command execution echo

Also Published As

Publication number Publication date
CN108200053B (en) 2021-05-14

Similar Documents

Publication Publication Date Title
CN108200053A (en) Record the method and device of APT attack operations
EP3113064B1 (en) System and method for determining modified web pages
CN107211016B (en) Session security partitioning and application profiler
RU2606564C1 (en) System and method of blocking script execution
CN104954350B (en) Account information protection method and system
CN104967628B (en) A kind of decoy method of protection web applications safety
US10372907B2 (en) System and method of detecting malicious computer systems
CN111881460B (en) Vulnerability exploitation detection method, system, equipment and computer storage medium
CN113496033A (en) Access behavior recognition method and device and storage medium
CN114065204A (en) File-free Trojan horse searching and killing method and device
CN113055407A (en) Asset risk information determination method, device, equipment and storage medium
CN111800405A (en) Detection method, detection device and storage medium
CN107046516B (en) Wind control method and device for identifying mobile terminal identity
KR102180098B1 (en) A malware detecting system performing monitoring of malware and controlling a device of user
CN113190838A (en) Web attack behavior detection method and system based on expression
CN110674496A (en) Method and system for program to counter invading terminal and computer equipment
CN107135199B (en) Method and device for detecting webpage backdoor
CN104852888B (en) A kind of method and device that static authentication information is set
CN108600259B (en) Authentication and binding method of equipment, computer storage medium and server
CN104426836A (en) Invasion detection method and device
CN111131166B (en) User behavior prejudging method and related equipment
CN113923039B (en) Attack equipment identification method and device, electronic equipment and readable storage medium
CN113364766B (en) APT attack detection method and device
CN116049822A (en) Application program supervision method, system, electronic device and storage medium
EP3252645B1 (en) System and method of detecting malicious computer systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant