CN108848102A - A kind of APT attack early warning system and its method for early warning - Google Patents
A kind of APT attack early warning system and its method for early warning Download PDFInfo
- Publication number
- CN108848102A CN108848102A CN201810704938.XA CN201810704938A CN108848102A CN 108848102 A CN108848102 A CN 108848102A CN 201810704938 A CN201810704938 A CN 201810704938A CN 108848102 A CN108848102 A CN 108848102A
- Authority
- CN
- China
- Prior art keywords
- early warning
- risk
- module
- data
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of APT to attack early warning system, including acquisition module, for acquiring network communication data;Data memory module, for being kept in the network communication data of acquisition;Dry run module carries out dry run to the network communication data of acquisition;Risk analysis module, for analyzing various risks behavior;Risk-warning module, for carrying out early warning to the risk behavior analyzed;Risk association module is modified early warning result for being associated analysis to different risk behaviors.The present invention can improve the deficiencies in the prior art, realize the early warning to the APT Life cycle attacked.
Description
Technical field
The present invention relates to industrial control system Prevention-Security technical field, especially a kind of APT attack early warning system and its
Method for early warning.
Background technique
APT attack is the technology for being difficult to detect using existing detection architecture(0DAY loophole, NDAY loophole, known bugs become
Shape, extraordinary wooden horse etc.), the various multiple means including social engineering, fishing, supply chain implantation etc. are combined, are directed to
Launch a offensive to target to property, and such as IPS, IDS of the traditional product based on subsequent signature mechanism, antivirus software, Security Wall, safety
Gateway etc., when in face of APT attack, this subsequent signature mechanism almost all failure, extraordinary wooden horse and 0day/Nday loophole are just
Constantly conventional safety apparatus is initiated to challenge.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of APT attack early warning system and its method for early warning, are able to solve existing
The deficiency of technology realizes the early warning to the APT Life cycle attacked.
In order to solve the above technical problems, the technical solution used in the present invention is as follows.
A kind of APT attack early warning system, including,
Acquisition module, for acquiring network communication data;
Data memory module, for being kept in the network communication data of acquisition;
Dry run module carries out dry run to the network communication data of acquisition;
Risk analysis module, for analyzing various risks behavior;
Risk-warning module, for carrying out early warning to the risk behavior analyzed;
Risk association module is modified early warning result for being associated analysis to different risk behaviors.
A kind of method for early warning of above-mentioned APT attack early warning system, includes the following steps:
A, acquisition module is acquired network communication data, and is sent to data memory module;
B, dry run module carries out dry run from data memory module called data;
C, risk analysis module monitors operational process in real time, and analyzes risk behavior;
D, Risk-warning module carries out early warning to the risk behavior analyzed;
E, the risk behavior analyzed is associated analysis by risk association module, is modified to early warning result.
Preferably, using periodical acquisition mode to the acquisition of network communication data, collection period is divided into step A
Fixed cycle and on-fixed period two parts, on-fixed period are directly proportional to real-time early warning quantity;Data memory module is to acquisition
To data be packaged, be encapsulated into data structure in encapsulation process using data buffer storage information as packet header.
Preferably, data memory module distributes data run according to the data buffer storage information of data structure in step B
Space is allocated in same data run space for the data structure with same type data buffer storage information and carries out time-sharing multiplex
Dry run synchronizes parallel fortune for the identical data structure of destination address run in different data running space
Row.
Preferably, in step C, risk analysis module extracts the behavioural characteristic during dry run, and with risk number
It is compared according to the risk behavior feature prestored in library, risk row is regarded as into the behavior for being higher than threshold value containing alignment similarity
For.
Preferably, in step C, behavioural characteristic include link behavioural characteristic, goal behavior feature, agreement behavioural characteristic and
Access behavioural characteristic.
Brought beneficial effect is by adopting the above technical scheme:The present invention different types of APT can be attacked into
The effective early warning of row, deployment way is flexible, is suitable for various environment of industrial network.The present invention is using the dry run specially researched and developed
Mode, the speed of service is fast, takes up less resources, and can effectively be identified to risk behavior.
Detailed description of the invention
Fig. 1 is the systematic schematic diagram of a specific embodiment of the invention.
Specific embodiment
Referring to Fig.1, a specific embodiment of the invention includes,
A kind of APT attack early warning system, including,
Acquisition module 1, for acquiring network communication data;
Data memory module 2, for being kept in the network communication data of acquisition;
Dry run module 3 carries out dry run to the network communication data of acquisition;
Risk analysis module 4, for analyzing various risks behavior;
Risk-warning module 5, for carrying out early warning to the risk behavior analyzed;
Risk association module 6 is modified early warning result for being associated analysis to different risk behaviors.
A kind of method for early warning of above-mentioned APT attack early warning system, includes the following steps:
A, acquisition module 1 is acquired network communication data, and is sent to data memory module 2;
B, dry run module 3 carries out dry run from 2 called data of data memory module;
C, risk analysis module 4 monitors operational process in real time, and analyzes risk behavior;
D, Risk-warning module 5 carries out early warning to the risk behavior analyzed;
E, the risk behavior analyzed is associated analysis by risk association module 6, is modified to early warning result.
In step A, to the acquisitions of network communication data using periodical acquisition mode, collection period be divided into the fixed cycle with
On-fixed period two parts, on-fixed period are directly proportional to real-time early warning quantity;Data memory module 2 to collected data into
Row encapsulates, and is encapsulated into data structure in encapsulation process using data buffer storage information as packet header.
In step B, data memory module 2 distributes data run space according to the data buffer storage information of data structure, right
Same data run space, which is allocated in, in the data structure with same type data buffer storage information carries out time-sharing multiplex simulation fortune
Row, synchronizes parallel operation for the identical data structure of destination address run in different data running space.
In step C, by the way that static node is arranged, risk analysis module 4 extracts the behavioural characteristic during dry run, and
It is compared with the risk behavior feature prestored in vulnerability database, the behavior for being higher than threshold value containing alignment similarity is regarded as
Risk behavior.
In step C, behavioural characteristic includes link behavioural characteristic, goal behavior feature, agreement behavioural characteristic and access behavior
Feature.
In step E, according to the weighted average of the link registration of each link behavioural characteristic and target consistent degree to behavior
The degree of association judged;When the behavior degree of association of behavioural characteristic exceeds threshold value, the behavior comprising above-mentioned behavioural characteristic is recognized
It is set to risk behavior.
Wherein, the threshold value in the present embodiment carries out limited times examination by using the present invention all in accordance with actual condition
It tests and is set.
The above shows and describes the basic principles and main features of the present invention and the advantages of the present invention.The technology of the industry
Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this
The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes
Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its
Equivalent thereof.
Claims (6)
1. a kind of APT attacks early warning system, it is characterised in that:Including,
Acquisition module(1), for acquiring network communication data;
Data memory module(2), for being kept in the network communication data of acquisition;
Dry run module(3), dry run is carried out to the network communication data of acquisition;
Risk analysis module(4), for analyzing various risks behavior;
Risk-warning module(5), for carrying out early warning to the risk behavior analyzed;
Risk association module(6), for being associated analysis to different risk behaviors, early warning result is modified.
2. a kind of method for early warning of APT attack early warning system described in claim 1, it is characterised in that include the following steps:
A, acquisition module(1)Network communication data are acquired, and are sent to data memory module(2);
B, dry run module(3)From data memory module(2)Called data carries out dry run;
C, risk analysis module(4)Operational process is monitored in real time, and risk behavior is analyzed;
D, Risk-warning module(5)Early warning is carried out to the risk behavior analyzed;
E, risk association module(6)The risk behavior analyzed is associated analysis, early warning result is modified.
3. the method for early warning of APT attack early warning system according to claim 2, it is characterised in that:In step A, to network
Using periodical acquisition mode, collection period is divided into fixed cycle and on-fixed period two parts, non-solid for the acquisition of communication data
Fixed cycle is directly proportional to real-time early warning quantity;Data memory module(2)Collected data are packaged, it will in encapsulation process
Data buffer storage information is encapsulated into data structure as packet header.
4. the method for early warning of APT attack early warning system according to claim 3, it is characterised in that:In step B, data are deposited
Store up module(2)Data run space is distributed according to the data buffer storage information of data structure, for same type data buffer storage
The data structure of information is allocated in same data run space and carries out time-sharing multiplex dry run, different data is run empty
The identical data structure of the destination address of interior operation synchronizes parallel operation.
5. the method for early warning of APT attack early warning system according to claim 2, it is characterised in that:In step C, risk point
Analyse module(4)The behavioural characteristic during dry run is extracted, and is carried out with the risk behavior feature prestored in vulnerability database
It compares, risk behavior is regarded as into the behavior for being higher than threshold value containing alignment similarity.
6. the method for early warning of APT attack early warning system according to claim 5, it is characterised in that:In step C, behavior is special
Sign includes link behavioural characteristic, goal behavior feature, agreement behavioural characteristic and access behavioural characteristic.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810704938.XA CN108848102B (en) | 2018-07-02 | 2018-07-02 | APT attack early warning system and early warning method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810704938.XA CN108848102B (en) | 2018-07-02 | 2018-07-02 | APT attack early warning system and early warning method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108848102A true CN108848102A (en) | 2018-11-20 |
CN108848102B CN108848102B (en) | 2021-04-13 |
Family
ID=64201066
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810704938.XA Active CN108848102B (en) | 2018-07-02 | 2018-07-02 | APT attack early warning system and early warning method thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108848102B (en) |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103607388A (en) * | 2013-11-18 | 2014-02-26 | 浪潮(北京)电子信息产业有限公司 | APT threat prediction method and system |
CN104850780A (en) * | 2015-04-27 | 2015-08-19 | 北京北信源软件股份有限公司 | Discrimination method for advanced persistent threat attack |
CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
CN105141598A (en) * | 2015-08-14 | 2015-12-09 | 中国传媒大学 | APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection |
CN105260662A (en) * | 2014-07-17 | 2016-01-20 | 南京曼安信息科技有限公司 | Detection device and method of unknown application bug threat |
CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
CN105553957A (en) * | 2015-12-09 | 2016-05-04 | 国家电网公司 | Network safety situation awareness early-warning method and system based big data |
CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
CN107645503A (en) * | 2017-09-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of detection method of the affiliated DGA families of rule-based malice domain name |
CN108229153A (en) * | 2016-12-21 | 2018-06-29 | 青岛祥智电子技术有限公司 | A kind of advanced duration threatens the method for discrimination of attack |
-
2018
- 2018-07-02 CN CN201810704938.XA patent/CN108848102B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103607388A (en) * | 2013-11-18 | 2014-02-26 | 浪潮(北京)电子信息产业有限公司 | APT threat prediction method and system |
CN105260662A (en) * | 2014-07-17 | 2016-01-20 | 南京曼安信息科技有限公司 | Detection device and method of unknown application bug threat |
CN104850780A (en) * | 2015-04-27 | 2015-08-19 | 北京北信源软件股份有限公司 | Discrimination method for advanced persistent threat attack |
CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
CN105141598A (en) * | 2015-08-14 | 2015-12-09 | 中国传媒大学 | APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection |
CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
CN105553957A (en) * | 2015-12-09 | 2016-05-04 | 国家电网公司 | Network safety situation awareness early-warning method and system based big data |
CN108229153A (en) * | 2016-12-21 | 2018-06-29 | 青岛祥智电子技术有限公司 | A kind of advanced duration threatens the method for discrimination of attack |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
CN107645503A (en) * | 2017-09-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of detection method of the affiliated DGA families of rule-based malice domain name |
Also Published As
Publication number | Publication date |
---|---|
CN108848102B (en) | 2021-04-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tildesley et al. | The role of pre-emptive culling in the control of foot-and-mouth disease | |
CN103782303A (en) | System and method for non-signature based detection of malicious processes | |
CN105144187A (en) | Method and product for providing a predictive security product and evaluating existing security products | |
CN107786532A (en) | The system and method that Virtual honeypot is used in industrial automation system and cloud connector | |
US20120036577A1 (en) | Method and system for alert classification in a computer network | |
CN106133740A (en) | Log analysis system | |
CN109660518A (en) | Communication data detection method, device and the machine readable storage medium of network | |
CN106104556A (en) | Log analysis system | |
Vernon et al. | Impact of regulatory perturbations to disease spread through cattle movements in Great Britain | |
US10931706B2 (en) | System and method for detecting and identifying a cyber-attack on a network | |
CN103532969A (en) | Zombie network detection method, device and processor | |
CN106295348A (en) | The leak detection method of application program and device | |
CN110336835A (en) | Detection method, user equipment, storage medium and the device of malicious act | |
CN104732145A (en) | Parasitic course detection method and device in virtual machine | |
CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
Smith et al. | Dynamic analysis of executables to detect and characterize malware | |
CN110311901B (en) | Lightweight network sandbox setting method based on container technology | |
Roche et al. | Assessing the risk of highly pathogenic avian influenza H5N1 transmission through poultry movements in Bali, Indonesia | |
Salmi et al. | Cnn-lstm based approach for dos attacks detection in wireless sensor networks | |
EP4009586A1 (en) | A system and method for automatically neutralizing malware | |
CN108848102A (en) | A kind of APT attack early warning system and its method for early warning | |
CN110210216A (en) | A kind of method and relevant apparatus of viral diagnosis | |
CN112788065B (en) | Internet of things zombie network tracking method and device based on honeypots and sandboxes | |
Canini et al. | Deciphering the role of host species for two Mycobacterium bovis genotypes from the European 3 clonal complex circulation within a cattle‐badger‐wild boar multihost system | |
CN111431883A (en) | Web attack detection method and device based on access parameters |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |