CN108848102A - A kind of APT attack early warning system and its method for early warning - Google Patents

A kind of APT attack early warning system and its method for early warning Download PDF

Info

Publication number
CN108848102A
CN108848102A CN201810704938.XA CN201810704938A CN108848102A CN 108848102 A CN108848102 A CN 108848102A CN 201810704938 A CN201810704938 A CN 201810704938A CN 108848102 A CN108848102 A CN 108848102A
Authority
CN
China
Prior art keywords
early warning
risk
module
data
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810704938.XA
Other languages
Chinese (zh)
Other versions
CN108848102B (en
Inventor
赵西玉
李佐民
赵越峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Net Technology Co Ltd
Original Assignee
Beijing Net Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Net Technology Co Ltd filed Critical Beijing Net Technology Co Ltd
Priority to CN201810704938.XA priority Critical patent/CN108848102B/en
Publication of CN108848102A publication Critical patent/CN108848102A/en
Application granted granted Critical
Publication of CN108848102B publication Critical patent/CN108848102B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of APT to attack early warning system, including acquisition module, for acquiring network communication data;Data memory module, for being kept in the network communication data of acquisition;Dry run module carries out dry run to the network communication data of acquisition;Risk analysis module, for analyzing various risks behavior;Risk-warning module, for carrying out early warning to the risk behavior analyzed;Risk association module is modified early warning result for being associated analysis to different risk behaviors.The present invention can improve the deficiencies in the prior art, realize the early warning to the APT Life cycle attacked.

Description

A kind of APT attack early warning system and its method for early warning
Technical field
The present invention relates to industrial control system Prevention-Security technical field, especially a kind of APT attack early warning system and its Method for early warning.
Background technique
APT attack is the technology for being difficult to detect using existing detection architecture(0DAY loophole, NDAY loophole, known bugs become Shape, extraordinary wooden horse etc.), the various multiple means including social engineering, fishing, supply chain implantation etc. are combined, are directed to Launch a offensive to target to property, and such as IPS, IDS of the traditional product based on subsequent signature mechanism, antivirus software, Security Wall, safety Gateway etc., when in face of APT attack, this subsequent signature mechanism almost all failure, extraordinary wooden horse and 0day/Nday loophole are just Constantly conventional safety apparatus is initiated to challenge.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of APT attack early warning system and its method for early warning, are able to solve existing The deficiency of technology realizes the early warning to the APT Life cycle attacked.
In order to solve the above technical problems, the technical solution used in the present invention is as follows.
A kind of APT attack early warning system, including,
Acquisition module, for acquiring network communication data;
Data memory module, for being kept in the network communication data of acquisition;
Dry run module carries out dry run to the network communication data of acquisition;
Risk analysis module, for analyzing various risks behavior;
Risk-warning module, for carrying out early warning to the risk behavior analyzed;
Risk association module is modified early warning result for being associated analysis to different risk behaviors.
A kind of method for early warning of above-mentioned APT attack early warning system, includes the following steps:
A, acquisition module is acquired network communication data, and is sent to data memory module;
B, dry run module carries out dry run from data memory module called data;
C, risk analysis module monitors operational process in real time, and analyzes risk behavior;
D, Risk-warning module carries out early warning to the risk behavior analyzed;
E, the risk behavior analyzed is associated analysis by risk association module, is modified to early warning result.
Preferably, using periodical acquisition mode to the acquisition of network communication data, collection period is divided into step A Fixed cycle and on-fixed period two parts, on-fixed period are directly proportional to real-time early warning quantity;Data memory module is to acquisition To data be packaged, be encapsulated into data structure in encapsulation process using data buffer storage information as packet header.
Preferably, data memory module distributes data run according to the data buffer storage information of data structure in step B Space is allocated in same data run space for the data structure with same type data buffer storage information and carries out time-sharing multiplex Dry run synchronizes parallel fortune for the identical data structure of destination address run in different data running space Row.
Preferably, in step C, risk analysis module extracts the behavioural characteristic during dry run, and with risk number It is compared according to the risk behavior feature prestored in library, risk row is regarded as into the behavior for being higher than threshold value containing alignment similarity For.
Preferably, in step C, behavioural characteristic include link behavioural characteristic, goal behavior feature, agreement behavioural characteristic and Access behavioural characteristic.
Brought beneficial effect is by adopting the above technical scheme:The present invention different types of APT can be attacked into The effective early warning of row, deployment way is flexible, is suitable for various environment of industrial network.The present invention is using the dry run specially researched and developed Mode, the speed of service is fast, takes up less resources, and can effectively be identified to risk behavior.
Detailed description of the invention
Fig. 1 is the systematic schematic diagram of a specific embodiment of the invention.
Specific embodiment
Referring to Fig.1, a specific embodiment of the invention includes,
A kind of APT attack early warning system, including,
Acquisition module 1, for acquiring network communication data;
Data memory module 2, for being kept in the network communication data of acquisition;
Dry run module 3 carries out dry run to the network communication data of acquisition;
Risk analysis module 4, for analyzing various risks behavior;
Risk-warning module 5, for carrying out early warning to the risk behavior analyzed;
Risk association module 6 is modified early warning result for being associated analysis to different risk behaviors.
A kind of method for early warning of above-mentioned APT attack early warning system, includes the following steps:
A, acquisition module 1 is acquired network communication data, and is sent to data memory module 2;
B, dry run module 3 carries out dry run from 2 called data of data memory module;
C, risk analysis module 4 monitors operational process in real time, and analyzes risk behavior;
D, Risk-warning module 5 carries out early warning to the risk behavior analyzed;
E, the risk behavior analyzed is associated analysis by risk association module 6, is modified to early warning result.
In step A, to the acquisitions of network communication data using periodical acquisition mode, collection period be divided into the fixed cycle with On-fixed period two parts, on-fixed period are directly proportional to real-time early warning quantity;Data memory module 2 to collected data into Row encapsulates, and is encapsulated into data structure in encapsulation process using data buffer storage information as packet header.
In step B, data memory module 2 distributes data run space according to the data buffer storage information of data structure, right Same data run space, which is allocated in, in the data structure with same type data buffer storage information carries out time-sharing multiplex simulation fortune Row, synchronizes parallel operation for the identical data structure of destination address run in different data running space.
In step C, by the way that static node is arranged, risk analysis module 4 extracts the behavioural characteristic during dry run, and It is compared with the risk behavior feature prestored in vulnerability database, the behavior for being higher than threshold value containing alignment similarity is regarded as Risk behavior.
In step C, behavioural characteristic includes link behavioural characteristic, goal behavior feature, agreement behavioural characteristic and access behavior Feature.
In step E, according to the weighted average of the link registration of each link behavioural characteristic and target consistent degree to behavior The degree of association judged;When the behavior degree of association of behavioural characteristic exceeds threshold value, the behavior comprising above-mentioned behavioural characteristic is recognized It is set to risk behavior.
Wherein, the threshold value in the present embodiment carries out limited times examination by using the present invention all in accordance with actual condition It tests and is set.
The above shows and describes the basic principles and main features of the present invention and the advantages of the present invention.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its Equivalent thereof.

Claims (6)

1. a kind of APT attacks early warning system, it is characterised in that:Including,
Acquisition module(1), for acquiring network communication data;
Data memory module(2), for being kept in the network communication data of acquisition;
Dry run module(3), dry run is carried out to the network communication data of acquisition;
Risk analysis module(4), for analyzing various risks behavior;
Risk-warning module(5), for carrying out early warning to the risk behavior analyzed;
Risk association module(6), for being associated analysis to different risk behaviors, early warning result is modified.
2. a kind of method for early warning of APT attack early warning system described in claim 1, it is characterised in that include the following steps:
A, acquisition module(1)Network communication data are acquired, and are sent to data memory module(2);
B, dry run module(3)From data memory module(2)Called data carries out dry run;
C, risk analysis module(4)Operational process is monitored in real time, and risk behavior is analyzed;
D, Risk-warning module(5)Early warning is carried out to the risk behavior analyzed;
E, risk association module(6)The risk behavior analyzed is associated analysis, early warning result is modified.
3. the method for early warning of APT attack early warning system according to claim 2, it is characterised in that:In step A, to network Using periodical acquisition mode, collection period is divided into fixed cycle and on-fixed period two parts, non-solid for the acquisition of communication data Fixed cycle is directly proportional to real-time early warning quantity;Data memory module(2)Collected data are packaged, it will in encapsulation process Data buffer storage information is encapsulated into data structure as packet header.
4. the method for early warning of APT attack early warning system according to claim 3, it is characterised in that:In step B, data are deposited Store up module(2)Data run space is distributed according to the data buffer storage information of data structure, for same type data buffer storage The data structure of information is allocated in same data run space and carries out time-sharing multiplex dry run, different data is run empty The identical data structure of the destination address of interior operation synchronizes parallel operation.
5. the method for early warning of APT attack early warning system according to claim 2, it is characterised in that:In step C, risk point Analyse module(4)The behavioural characteristic during dry run is extracted, and is carried out with the risk behavior feature prestored in vulnerability database It compares, risk behavior is regarded as into the behavior for being higher than threshold value containing alignment similarity.
6. the method for early warning of APT attack early warning system according to claim 5, it is characterised in that:In step C, behavior is special Sign includes link behavioural characteristic, goal behavior feature, agreement behavioural characteristic and access behavioural characteristic.
CN201810704938.XA 2018-07-02 2018-07-02 APT attack early warning system and early warning method thereof Active CN108848102B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810704938.XA CN108848102B (en) 2018-07-02 2018-07-02 APT attack early warning system and early warning method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810704938.XA CN108848102B (en) 2018-07-02 2018-07-02 APT attack early warning system and early warning method thereof

Publications (2)

Publication Number Publication Date
CN108848102A true CN108848102A (en) 2018-11-20
CN108848102B CN108848102B (en) 2021-04-13

Family

ID=64201066

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810704938.XA Active CN108848102B (en) 2018-07-02 2018-07-02 APT attack early warning system and early warning method thereof

Country Status (1)

Country Link
CN (1) CN108848102B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607388A (en) * 2013-11-18 2014-02-26 浪潮(北京)电子信息产业有限公司 APT threat prediction method and system
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack
CN104901971A (en) * 2015-06-23 2015-09-09 北京东方棱镜科技有限公司 Method and device for carrying out safety analysis on network behaviors
CN105141598A (en) * 2015-08-14 2015-12-09 中国传媒大学 APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection
CN105260662A (en) * 2014-07-17 2016-01-20 南京曼安信息科技有限公司 Detection device and method of unknown application bug threat
CN105262726A (en) * 2015-09-10 2016-01-20 中国人民解放军信息工程大学 APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis
CN105553957A (en) * 2015-12-09 2016-05-04 国家电网公司 Network safety situation awareness early-warning method and system based big data
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107426159A (en) * 2017-05-03 2017-12-01 成都国腾实业集团有限公司 APT based on big data analysis monitors defence method
CN107645503A (en) * 2017-09-20 2018-01-30 杭州安恒信息技术有限公司 A kind of detection method of the affiliated DGA families of rule-based malice domain name
CN108229153A (en) * 2016-12-21 2018-06-29 青岛祥智电子技术有限公司 A kind of advanced duration threatens the method for discrimination of attack

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607388A (en) * 2013-11-18 2014-02-26 浪潮(北京)电子信息产业有限公司 APT threat prediction method and system
CN105260662A (en) * 2014-07-17 2016-01-20 南京曼安信息科技有限公司 Detection device and method of unknown application bug threat
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack
CN104901971A (en) * 2015-06-23 2015-09-09 北京东方棱镜科技有限公司 Method and device for carrying out safety analysis on network behaviors
CN105141598A (en) * 2015-08-14 2015-12-09 中国传媒大学 APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection
CN105262726A (en) * 2015-09-10 2016-01-20 中国人民解放军信息工程大学 APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus
CN105553957A (en) * 2015-12-09 2016-05-04 国家电网公司 Network safety situation awareness early-warning method and system based big data
CN108229153A (en) * 2016-12-21 2018-06-29 青岛祥智电子技术有限公司 A kind of advanced duration threatens the method for discrimination of attack
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107426159A (en) * 2017-05-03 2017-12-01 成都国腾实业集团有限公司 APT based on big data analysis monitors defence method
CN107645503A (en) * 2017-09-20 2018-01-30 杭州安恒信息技术有限公司 A kind of detection method of the affiliated DGA families of rule-based malice domain name

Also Published As

Publication number Publication date
CN108848102B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
Tildesley et al. The role of pre-emptive culling in the control of foot-and-mouth disease
CN103782303A (en) System and method for non-signature based detection of malicious processes
CN105144187A (en) Method and product for providing a predictive security product and evaluating existing security products
CN107786532A (en) The system and method that Virtual honeypot is used in industrial automation system and cloud connector
US20120036577A1 (en) Method and system for alert classification in a computer network
CN106133740A (en) Log analysis system
CN109660518A (en) Communication data detection method, device and the machine readable storage medium of network
CN106104556A (en) Log analysis system
Vernon et al. Impact of regulatory perturbations to disease spread through cattle movements in Great Britain
US10931706B2 (en) System and method for detecting and identifying a cyber-attack on a network
CN103532969A (en) Zombie network detection method, device and processor
CN106295348A (en) The leak detection method of application program and device
CN110336835A (en) Detection method, user equipment, storage medium and the device of malicious act
CN104732145A (en) Parasitic course detection method and device in virtual machine
CN106209902A (en) A kind of network safety system being applied to intellectual property operation platform and detection method
Smith et al. Dynamic analysis of executables to detect and characterize malware
CN110311901B (en) Lightweight network sandbox setting method based on container technology
Roche et al. Assessing the risk of highly pathogenic avian influenza H5N1 transmission through poultry movements in Bali, Indonesia
Salmi et al. Cnn-lstm based approach for dos attacks detection in wireless sensor networks
EP4009586A1 (en) A system and method for automatically neutralizing malware
CN108848102A (en) A kind of APT attack early warning system and its method for early warning
CN110210216A (en) A kind of method and relevant apparatus of viral diagnosis
CN112788065B (en) Internet of things zombie network tracking method and device based on honeypots and sandboxes
Canini et al. Deciphering the role of host species for two Mycobacterium bovis genotypes from the European 3 clonal complex circulation within a cattle‐badger‐wild boar multihost system
CN111431883A (en) Web attack detection method and device based on access parameters

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant