CN108234426B - APT attack warning method and APT attack warning device - Google Patents
APT attack warning method and APT attack warning device Download PDFInfo
- Publication number
- CN108234426B CN108234426B CN201611196656.0A CN201611196656A CN108234426B CN 108234426 B CN108234426 B CN 108234426B CN 201611196656 A CN201611196656 A CN 201611196656A CN 108234426 B CN108234426 B CN 108234426B
- Authority
- CN
- China
- Prior art keywords
- behavior
- business
- abnormal
- business behavior
- behaviors
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure relates to an APT attack warning method and an APT attack warning device. The APT attack warning method comprises the following steps: acquiring data of a plurality of business behaviors, wherein the data comprises attribute information of each business behavior; comparing the attribute information of each service behavior in the plurality of service behaviors with the attribute information of the preset normal service behavior to determine whether each service behavior is a normal service behavior or an abnormal service behavior; in the case that at least one abnormal business behavior exists in the plurality of business behaviors, establishing an abnormal business behavior data chain for each abnormal business behavior, wherein the abnormal business behavior data chain comprises a business behavior sequence associated with the abnormal business behavior; and matching each abnormal service behavior data chain with a preset APT attack judgment rule respectively, and sending an APT attack alarm aiming at the abnormal service behavior data chain with the matching degree higher than a threshold value.
Description
Technical Field
The present disclosure relates to the field of information security service technologies, and in particular, to an APT attack warning method and an APT attack warning device.
Background
Advanced Persistent Threat (APT) attacks are network attacks and attacks that hackers target customers to steal core data. The attack behavior is usually carefully planned, data is stolen for a specific object in a long-term, planned and organized manner, and the attack behavior has high concealment performance, and the traditional security defense system is difficult to effectively detect.
Conventionally, there are two main methods for alarming against APT attack, one is a detection method based on a feature library, and the other is a method based on a dynamic analysis model. The former method relies on a sample and a feature library, although the detection accuracy is high, the detection range of the method is obviously limited for various attack modes and varieties by increasingly updated attack technologies, a large number of APT attacks cannot be detected by the method, only known APT attacks can be detected, and unknown APT attacks cannot be detected. The latter dynamic detection method has a relatively complex process and a high difficulty in establishing a dynamic analysis model. Although the APT detection range can be enlarged, the search for the attack behavior in the massive data is undoubtedly a great sea fishing needle, so the detection accuracy of the method is low.
Disclosure of Invention
According to a first aspect of the embodiments of the present disclosure, an APT attack warning method is provided, where the method includes: acquiring data of a plurality of business behaviors, wherein the data comprises attribute information of each business behavior; comparing the attribute information of each service behavior in the plurality of service behaviors with the attribute information of the preset normal service behavior to determine whether each service behavior is a normal service behavior or an abnormal service behavior; in the case that at least one abnormal business behavior exists in the plurality of business behaviors, establishing an abnormal business behavior data chain for each abnormal business behavior, wherein the abnormal business behavior data chain comprises a business behavior sequence associated with the abnormal business behavior; and matching each abnormal service behavior data chain with a preset APT attack judgment rule respectively, and sending an APT attack alarm aiming at the abnormal service behavior data chain with the matching degree higher than a threshold value.
According to a second aspect of the embodiments of the present disclosure, there is provided an APT attack warning device, including: the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring data of a plurality of business behaviors, and the data comprises attribute information of each business behavior; the determining unit is used for comparing the attribute information of each business behavior in the plurality of business behaviors with the attribute information of the preset normal business behavior so as to determine whether each business behavior is a normal business behavior or an abnormal business behavior; the system comprises an establishing unit, a processing unit and a processing unit, wherein the establishing unit is used for establishing an abnormal business behavior data chain for each abnormal business behavior under the condition that at least one abnormal business behavior exists in a plurality of business behaviors, and the abnormal business behavior data chain comprises a business behavior sequence related to the abnormal business behavior; and the judging unit is used for respectively matching each abnormal business behavior data chain with a preset APT attack judging rule and sending an APT attack alarm aiming at the abnormal business behavior data chain with the matching degree higher than a threshold value.
According to a third aspect of the embodiments of the present disclosure, an APT attack warning device is provided, which includes: a processor; a memory for storing processor-executable instructions; the processor is configured to obtain data of a plurality of business behaviors, wherein the data comprises attribute information of each business behavior; comparing the attribute information of each service behavior in the plurality of service behaviors with the attribute information of the preset normal service behavior to determine whether each service behavior is a normal service behavior or an abnormal service behavior; in the case that at least one abnormal business behavior exists in the plurality of business behaviors, establishing an abnormal business behavior data chain for each abnormal business behavior, wherein the abnormal business behavior data chain comprises a business behavior sequence associated with the abnormal business behavior; and matching each abnormal service behavior data chain with a preset APT attack judgment rule respectively, and sending an APT attack alarm aiming at the abnormal service behavior data chain with the matching degree higher than a threshold value.
According to the APT attack warning method and the APT attack warning device, all behaviors based on services can be covered in the warning process of the APT attack, and the APT attack warning method and the APT attack warning device have a wide detection range. In addition, the APT attack is judged by aiming at the abnormal service behavior data chain instead of a single abnormal service behavior, so that higher accuracy can be ensured.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. In the drawings:
FIG. 1 is a flow diagram illustrating an APT attack alerting method according to an embodiment;
FIG. 2 is a block diagram illustrating an APT attack alerting device according to an embodiment;
fig. 3 is a schematic diagram illustrating an APT attack warning device according to an embodiment.
With the foregoing drawings in mind, certain embodiments of the disclosure have been shown and described in more detail below. These drawings and written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the concepts of the disclosure to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
Fig. 1 is a flowchart illustrating an APT attack alerting method according to an embodiment. As shown in fig. 1, at step 101, data of a plurality of business behaviors is obtained, wherein the data includes attribute information of each business behavior.
In some embodiments, data for multiple business activities may be obtained by using big data collection techniques, and the obtained data may be, for example, traffic data for a business network, log data for application systems, host devices, network devices, security devices, and the like.
Further, the attribute information may include a plurality of attributes. In some embodiments, it may include at least one of the following attributes: behavior identification, behavior body, behavior time, behavior operation and behavior association information. In some embodiments, the specific content of the behavior identification may include a behavior number; the specific content of the behavioral principal may include a host (e.g., IP), an operator (e.g., account), a system service (e.g., process name); the action time may include the point in time (e.g., to the nearest second) at which the action occurred; the specific content of the behavior object may include a target host (e.g., IP), a file name (e.g., storage path), a database table; the specific content of the behavior operation may include addition, copy, query, modification, deletion, transmission.
At step 102, the attribute information of each business behavior of the plurality of business behaviors is compared with the predetermined normal business behavior attribute information to determine whether each business behavior is a normal business behavior or an abnormal business behavior.
In some embodiments, the data of a plurality of business behaviors are acquired by using a big data acquisition technology, so that a huge data volume needs to be processed, but only the attribute information of each business behavior needs to be extracted for analysis, so that the computation amount can be reduced, and the complexity is reduced. The predetermined normal business behavior attribute information includes attribute information of a plurality of known normal business behaviors. In some embodiments, the technician defines some known business behaviors as normal business behaviors based on experience, acquires data of the normal business behaviors and extracts attribute information, thereby forming predetermined normal business behavior attribute information. In some embodiments, in the APT attack warning process, attribute information of a service behavior determined to be a normal service behavior may be added to predetermined normal service behavior attribute information. Therefore, in the APT attack alarm process, the attribute information of the preset normal service behavior can be continuously updated to be more and more perfect, so that the APT attack alarm capacity is stronger and stronger.
At step 103, in the case of at least one abnormal business behavior among the plurality of business behaviors, establishing an abnormal business behavior data chain for each abnormal business behavior, wherein the abnormal business behavior data chain comprises a business behavior sequence associated with the abnormal business behavior.
The single abnormal business behavior may be only an abnormal operation behavior, and it is obviously not accurate enough to perform APT attack warning according to the single abnormal business behavior, so that the business behaviors related before and after the abnormal business behavior are determined through the single abnormal business behavior, and a business behavior data chain is found. And then, the data chain, namely a service behavior sequence is judged, so that the accuracy of the APT attack alarm can be improved.
In addition, the manner of establishing the abnormal business behavior data chain may be various, in some embodiments, the attribute information includes behavior association information, and establishing the abnormal business behavior data chain may include: and aiming at each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to the behavior association information included in the attribute information of each business behavior in the plurality of business behaviors, and forming an abnormal business behavior data chain of the abnormal business behavior by the determined business behavior and the abnormal business behavior according to the behavior time sequence. There is a certain association relationship between business behaviors, for example, business behaviors with the same behavior body, behavior object and behavior operation in a relatively continuous time, and the behavior association information represents such association relationship.
In some embodiments, the attribute information of each business behavior includes behavior association information, and establishing the abnormal business behavior data chain may include: and for each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to behavior association information included in attribute information of each business behavior in a certain time period before and after the abnormal business behavior, and forming an abnormal business behavior data chain of the abnormal business behavior by the determined business behavior and the abnormal business behavior according to a behavior time sequence. For example, a fixed time length (e.g., one minute) may be preset, the associated traffic behavior is searched only during the time period with the abnormal traffic behavior as the midpoint, and the abnormal behavior data link is established according to the determined behavior and the abnormal traffic behavior.
In some embodiments, establishing the abnormal business behavior data link may include performing a search around the abnormal business behavior to determine a business behavior associated with the abnormal business behavior, respectively, with the abnormal business behavior as a center; determining a number of business behaviors associated with the abnormal business behavior; and when the number of the determined business behaviors associated with the abnormal business behaviors reaches a preset threshold value, forming an abnormal business behavior data chain of the abnormal business behaviors by using the determined business behaviors and the abnormal business behaviors. For example, a number (e.g., 100) may be preset, and when the number of the determined associated business behaviors reaches the predetermined number, the abnormal behavior data link may be established directly according to the determined behaviors and the abnormal business behaviors.
In step 104, each abnormal service behavior data chain is respectively matched with a predetermined APT attack judgment rule, and an APT attack alarm is issued for the abnormal service behavior data chain whose matching degree is higher than a threshold value.
The APT attack decision rule includes a set of APT attack behavior patterns, which may include a variety of rule contents, which in some embodiments may include at least one of the following types: business operation of non-business time or non-business operation of business time; frequent data communications for a particular IP address; data are stored and compressed abnormally in an encrypted manner; automatically uploading the data to an untrusted target; data transmission in discontinuous time; the same data file is circulated for a plurality of times.
In some embodiments, after the abnormal service behavior data chain is acquired, behavior information in the abnormal service behavior data chain is analyzed through an APT determination rule, then data in the abnormal service behavior data chain is subjected to statistical analysis and is compared with normal statistical data, the possibility that the abnormal service behavior data chain is an APT attack is calculated, and when the possibility value is higher than a certain threshold value, an APT attack alarm is given.
The method provided by the disclosure covers all-service behaviors, and can discover unknown APT attacks, so that the method has a wider detection range. In addition, the method provided by the disclosure does not directly judge the abnormal business behavior, but establishes the abnormal business behavior data chain after finding the common abnormal business behavior, and analyzes the data chain according to the APT attack judgment rule, thereby ensuring higher accuracy.
Fig. 2 is a block diagram illustrating an APT attack warning device 200 according to an embodiment. As shown in fig. 2, the apparatus 200 includes: an acquisition unit 201, a determination unit 202, a setup unit 203, and a judgment unit 204.
The obtaining unit 201 obtains data of a plurality of business behaviors, wherein the data includes attribute information of each business behavior. The determining unit 202 compares the attribute information of each of the plurality of service behaviors with the predetermined normal service behavior attribute information to determine whether each of the service behaviors is a normal service behavior or an abnormal service behavior. The establishing unit 203 establishes an abnormal business behavior data link for each abnormal business behavior in the case that at least one abnormal business behavior exists among the plurality of business behaviors, where the abnormal business behavior data link includes a business behavior sequence associated with the abnormal business behavior. The determining unit 204 matches each abnormal service behavior data link with a predetermined APT attack determination rule, and issues an APT attack alarm for the abnormal service behavior data link whose matching degree is higher than a threshold.
In some embodiments, the attribute information may include at least one of: behavior identification, behavior body, behavior time, behavior object, behavior operation and behavior association information.
In some embodiments, the apparatus 200 may include an updating unit that adds attribute information of a business behavior determined to be a normal business behavior to predetermined normal business behavior attribute information.
In some embodiments, the attribute information of each business activity includes activity association information, and the establishing unit is configured to: and aiming at each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to the behavior association information included in the attribute information of each business behavior in the plurality of business behaviors, and forming an abnormal business behavior data chain of the abnormal business behavior by the determined business behavior and the abnormal business behavior according to the behavior time sequence.
In some embodiments, the attribute information of each business activity includes activity association information, and the establishing unit is configured to: and for each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to behavior association information included in attribute information of each business behavior in a certain time period before and after the abnormal business behavior, and forming an abnormal business behavior data chain of the abnormal business behavior by the determined business behavior and the abnormal business behavior according to a behavior time sequence.
In some embodiments, the establishing unit may be configured to: taking an abnormal business behavior as a center, respectively executing search before and after the abnormal business behavior to determine the business behavior associated with the abnormal business behavior; determining a number of business behaviors associated with the abnormal business behavior; and when the number of the determined business behaviors associated with the abnormal business behaviors reaches a preset threshold value, forming an abnormal business behavior data chain of the abnormal business behaviors by using the determined business behaviors and the abnormal business behaviors.
In some embodiments, the APT attack decision rule includes at least one of the following types: business operation of non-business time or non-business operation of business time; frequent data communications for a particular IP address; data are stored and compressed abnormally in an encrypted manner; automatically uploading the data to an untrusted target; data transmission in discontinuous time; the same data file is circulated for a plurality of times.
It should be noted that, when the apparatus for alarming an APT attack provided by the foregoing embodiment alarms an APT attack, only the above-mentioned division of each functional unit is taken as an example, and in practical applications, the above-mentioned function distribution may be completed by different functional units according to needs, that is, the internal structure of the apparatus may be divided into different functional units, so as to complete all or part of the functions described above.
Fig. 3 is a schematic diagram illustrating an APT attack warning device 300 according to an embodiment. Referring to fig. 3, the apparatus 300 includes a processing component 301, which further includes one or more processors. The apparatus 300 may further comprise a power component 303 for performing power management of the apparatus 300, a wired or wireless network interface 304 and an input output (I/O) interface 305 for connecting the apparatus 300 to a network. Network interface 304 and input/output (I/O) interface 305 may be used to receive data related to business activities from an external network or device. Further, apparatus 300 may include memory 302, and one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors to include instructions for: acquiring data of a plurality of business behaviors, wherein the data comprises attribute information of each business behavior; comparing the attribute information of each service behavior in the plurality of service behaviors with the attribute information of the preset normal service behavior to determine whether each service behavior is a normal service behavior or an abnormal service behavior; in the case that at least one abnormal business behavior exists in the plurality of business behaviors, establishing an abnormal business behavior data chain for each abnormal business behavior, wherein the abnormal business behavior data chain comprises a business behavior sequence associated with the abnormal business behavior; and matching each abnormal service behavior data chain with a preset APT attack judgment rule respectively, and sending an APT attack alarm aiming at the abnormal service behavior data chain with the matching degree higher than a threshold value.
In the embodiment of the disclosure, the provided key code optimization method is solidified into the device, so that the device can automatically alarm the APT attack, and the APT attack alarm capability can be improved under the condition of greatly reducing the cost input.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (13)
1. An APT attack warning method for advanced persistent threats includes:
acquiring data of a plurality of business behaviors, wherein the data comprises attribute information of each business behavior;
comparing the attribute information of each service behavior in the plurality of service behaviors with the attribute information of the preset normal service behavior to determine whether each service behavior is a normal service behavior or an abnormal service behavior;
when at least one abnormal business behavior exists in the plurality of business behaviors, establishing an abnormal business behavior data chain for each abnormal business behavior, wherein the abnormal business behavior data chain comprises a business behavior sequence associated with the abnormal business behavior;
matching each abnormal service behavior data chain with a preset APT attack judgment rule respectively, and sending an APT attack alarm aiming at the abnormal service behavior data chain with the matching degree higher than a threshold value;
the attribute information of each business behavior comprises behavior association information, and the establishing of the abnormal business behavior data chain comprises the following steps:
and for each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to the behavior association information included in the attribute information of each business behavior in the plurality of business behaviors, and forming an abnormal business behavior data chain of the abnormal business behavior by using the determined business behavior and the abnormal business behavior according to the behavior time sequence.
2. The method of claim 1, wherein the attribute information comprises at least one of: behavior identification, behavior body, behavior time, behavior object, behavior operation and behavior association information.
3. The method of claim 1, further comprising:
and adding the attribute information of the service behavior determined as the normal service behavior into the attribute information of the preset normal service behavior.
4. The method of claim 1, wherein the attribute information for each business behavior comprises behavior association information, and establishing the abnormal business behavior data link comprises:
and for each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to behavior association information included in attribute information of each business behavior in a certain time period before and after the abnormal business behavior, and forming an abnormal business behavior data chain of the abnormal business behavior by the determined business behavior and the abnormal business behavior according to a behavior time sequence.
5. The method of claim 4, wherein establishing the abnormal traffic behavior data link comprises:
taking an abnormal business behavior as a center, respectively executing search before and after the abnormal business behavior to determine the business behavior associated with the abnormal business behavior;
determining a number of business behaviors associated with the abnormal business behavior;
and when the determined number of the business behaviors associated with the abnormal business behaviors reaches a preset threshold value, forming an abnormal business behavior data chain of the abnormal business behaviors by using the determined business behaviors and the abnormal business behaviors.
6. The method of claim 1, wherein the APT attack decision rule comprises at least one of the following types:
business operation of non-business time or non-business operation of business time;
frequent data communications for a particular IP address;
data are stored and compressed abnormally in an encrypted manner;
automatically uploading the data to an untrusted target;
data transmission in discontinuous time;
the same data file is circulated for a plurality of times.
7. An apparatus for alarming APT attack, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring data of a plurality of business behaviors, and the data comprises attribute information of each business behavior;
the determining unit is used for comparing the attribute information of each business behavior in the plurality of business behaviors with the attribute information of the preset normal business behavior so as to determine whether each business behavior is a normal business behavior or an abnormal business behavior;
the system comprises an establishing unit, a processing unit and a processing unit, wherein the establishing unit is used for establishing an abnormal business behavior data chain for each abnormal business behavior under the condition that at least one abnormal business behavior exists in the plurality of business behaviors, and the abnormal business behavior data chain comprises a business behavior sequence related to the abnormal business behavior;
the judging unit is used for respectively matching each abnormal business behavior data chain with a preset APT attack judging rule and sending an APT attack alarm aiming at the abnormal business behavior data chain with the matching degree higher than a threshold value;
the attribute information of each business behavior includes behavior association information, and the establishing unit is further configured to:
and for each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to behavior association information included in attribute information of each business behavior in a certain time period before and after the abnormal business behavior, and forming an abnormal business behavior data chain of the abnormal business behavior by the determined business behavior and the abnormal business behavior according to a behavior time sequence.
8. The apparatus of claim 7, wherein the attribute information comprises at least one of:
behavior identification, behavior body, behavior time, behavior object, behavior operation and behavior association information.
9. The apparatus of claim 7, further comprising:
and the updating unit is used for adding the attribute information of the service behavior determined to be the normal service behavior into the attribute information of the preset normal service behavior.
10. The apparatus of claim 7, wherein the attribute information of each business behavior comprises behavior association information, and the establishing unit is configured to:
and for each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to the behavior association information included in the attribute information of each business behavior in the plurality of business behaviors, and forming an abnormal business behavior data chain of the abnormal business behavior by using the determined business behavior and the abnormal business behavior according to the behavior time sequence.
11. The apparatus of claim 10, wherein the establishing unit is further configured to:
taking an abnormal business behavior as a center, respectively executing search before and after the abnormal business behavior to determine the business behavior associated with the abnormal business behavior;
determining a number of business behaviors associated with the abnormal business behavior;
and when the determined number of the business behaviors associated with the abnormal business behaviors reaches a preset threshold value, forming an abnormal business behavior data chain of the abnormal business behaviors by using the determined business behaviors and the abnormal business behaviors.
12. The apparatus of claim 7, wherein the APT attack decision rule comprises at least one of the following types:
business operation of non-business time or non-business operation of business time;
frequent data communications for a particular IP address;
data are stored and compressed abnormally in an encrypted manner;
automatically uploading the data to an untrusted target;
data transmission in discontinuous time;
the same data file is circulated for a plurality of times.
13. An apparatus for alarming APT attack, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
acquiring data of a plurality of business behaviors, wherein the data comprises attribute information of each business behavior;
comparing the attribute information of each service behavior in the plurality of service behaviors with the attribute information of the preset normal service behavior to determine whether each service behavior is a normal service behavior or an abnormal service behavior;
when at least one abnormal business behavior exists in the plurality of business behaviors, establishing an abnormal business behavior data chain for each abnormal business behavior, wherein the abnormal business behavior data chain comprises a business behavior sequence associated with the abnormal business behavior;
matching each abnormal service behavior data chain with a preset APT attack judgment rule respectively, and sending an APT attack alarm aiming at the abnormal service behavior data chain with the matching degree higher than a threshold value;
the attribute information of each business behavior comprises behavior association information, and the establishing of the abnormal business behavior data chain comprises the following steps:
and for each abnormal business behavior, determining the business behavior associated with the abnormal business behavior according to the behavior association information included in the attribute information of each business behavior in the plurality of business behaviors, and forming an abnormal business behavior data chain of the abnormal business behavior by using the determined business behavior and the abnormal business behavior according to the behavior time sequence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611196656.0A CN108234426B (en) | 2016-12-21 | 2016-12-21 | APT attack warning method and APT attack warning device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611196656.0A CN108234426B (en) | 2016-12-21 | 2016-12-21 | APT attack warning method and APT attack warning device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108234426A CN108234426A (en) | 2018-06-29 |
| CN108234426B true CN108234426B (en) | 2021-08-03 |
Family
ID=62656909
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611196656.0A Active CN108234426B (en) | 2016-12-21 | 2016-12-21 | APT attack warning method and APT attack warning device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108234426B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109981587A (en) * | 2019-02-27 | 2019-07-05 | 南京众智维信息科技有限公司 | A kind of network security monitoring traceability system based on APT attack |
| CN109922069B (en) * | 2019-03-13 | 2020-12-25 | 中国科学技术大学 | Multidimensional association analysis method and system for advanced persistent threats |
| CN111030974A (en) * | 2019-03-29 | 2020-04-17 | 北京安天网络安全技术有限公司 | APT attack event detection method, device and storage medium |
| CN110149318B (en) * | 2019-04-26 | 2022-07-05 | 奇安信科技集团股份有限公司 | Mail metadata processing method and device, storage medium and electronic device |
| CN113315784A (en) * | 2021-06-23 | 2021-08-27 | 深信服科技股份有限公司 | Security event processing method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN104579819A (en) * | 2014-12-03 | 2015-04-29 | 北京奇虎科技有限公司 | Network security detection method and device |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际系统应用有限公司 | Association analysis method and association analysis system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8925082B2 (en) * | 2012-08-22 | 2014-12-30 | International Business Machines Corporation | Cooperative intrusion detection ecosystem for IP reputation-based security |
-
2016
- 2016-12-21 CN CN201611196656.0A patent/CN108234426B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN104579819A (en) * | 2014-12-03 | 2015-04-29 | 北京奇虎科技有限公司 | Network security detection method and device |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际系统应用有限公司 | Association analysis method and association analysis system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108234426A (en) | 2018-06-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN110177108B (en) | Abnormal behavior detection method, device and verification system | |
| CN108989150B (en) | Login abnormity detection method and device | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN110417778B (en) | Access request processing method and device | |
| CN107302586B (en) | Webshell detection method and device, computer device and readable storage medium | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN113489713A (en) | Network attack detection method, device, equipment and storage medium | |
| KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
| US20170277887A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN112153062B (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN111064719A (en) | Method and device for detecting abnormal downloading behavior of file | |
| CN114598514A (en) | Industrial control threat detection method and device | |
| CN113872959A (en) | Risk asset grade judgment and dynamic degradation method, device and equipment | |
| CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| CN113098852A (en) | Log processing method and device | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| CN113297583B (en) | Vulnerability risk analysis method, device, equipment and storage medium | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN112839029B (en) | Botnet activity degree analysis method and system | |
| CN112751863B (en) | Attack behavior analysis method and device | |
| CN114584391A (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN112329021A (en) | Method and device for checking application bugs, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |