CN108848102B - APT attack early warning system and early warning method thereof - Google Patents
APT attack early warning system and early warning method thereof Download PDFInfo
- Publication number
- CN108848102B CN108848102B CN201810704938.XA CN201810704938A CN108848102B CN 108848102 B CN108848102 B CN 108848102B CN 201810704938 A CN201810704938 A CN 201810704938A CN 108848102 B CN108848102 B CN 108848102B
- Authority
- CN
- China
- Prior art keywords
- risk
- module
- early warning
- data
- network communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an APT attack early warning system, which comprises an acquisition module, a warning module and a warning module, wherein the acquisition module is used for acquiring network communication data; the data storage module is used for temporarily storing the acquired network communication data; the simulation operation module is used for carrying out simulation operation on the acquired network communication data; the risk analysis module is used for analyzing various risk behaviors; the risk early warning module is used for early warning the analyzed risk behaviors; and the risk correlation module is used for performing correlation analysis on different risk behaviors and correcting the early warning result. The invention can improve the defects of the prior art and realize the early warning of the full life cycle of the APT attack.
Description
Technical Field
The invention relates to the technical field of industrial control system security defense, in particular to an APT attack early warning system and an APT attack early warning method.
Background
The APT attack is a technology (0 DAY bug, NDAY bug, known bug deformation, special trojan, etc.) which is difficult to detect by adopting the existing detection system, combines various multiple means including social engineering, fishing, supply chain implantation, etc., and pertinently attacks a target, while traditional products based on a post-signature mechanism, such as IPS, IDS, antivirus wall, security gateway, etc., are almost completely invalid when the APT attack is faced, and the special trojan and the 0DAY/NDAY bug continuously challenge traditional security equipment.
Disclosure of Invention
The invention aims to provide an APT attack early warning system and an APT attack early warning method, which can overcome the defects of the prior art and realize the early warning of the full life cycle of APT attack.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
An APT attack early warning system comprises,
the acquisition module is used for acquiring network communication data;
the data storage module is used for temporarily storing the acquired network communication data;
the simulation operation module is used for carrying out simulation operation on the acquired network communication data;
the risk analysis module is used for analyzing various risk behaviors;
the risk early warning module is used for early warning the analyzed risk behaviors;
and the risk correlation module is used for performing correlation analysis on different risk behaviors and correcting the early warning result.
An early warning method of the APT attack early warning system comprises the following steps:
A. the acquisition module acquires network communication data and sends the network communication data to the data storage module;
B. the simulation operation module calls data from the data storage module to perform simulation operation;
C. the risk analysis module monitors the operation process in real time and analyzes risk behaviors;
D. the risk early warning module carries out early warning on the analyzed risk behaviors;
E. and the risk correlation module performs correlation analysis on the analyzed risk behaviors and corrects the early warning result.
Preferably, in the step A, a periodic acquisition mode is adopted for acquiring the network communication data, the acquisition period is divided into a fixed period and a non-fixed period, and the non-fixed period is in direct proportion to the real-time early warning quantity; the data storage module encapsulates the acquired data, and the data cache information is encapsulated into the data structure body as a packet header in the encapsulation process.
Preferably, in step B, the data storage module allocates data operation spaces according to the data cache information of the data structure, allocates data structures with the same type of data cache information to the same data operation space for performing time division multiplexing simulation operation, and performs synchronous parallel operation on data structures with the same destination address operating in different data operation spaces.
Preferably, in the step C, the risk analysis module extracts the behavior features in the simulation operation process, compares the behavior features with the risk behavior features prestored in the risk database, and determines the behavior with the comparison similarity higher than the threshold as the risk behavior.
Preferably, in step C, the behavior characteristics include a link behavior characteristic, a target behavior characteristic, a protocol behavior characteristic, and an access behavior characteristic.
Adopt the beneficial effect that above-mentioned technical scheme brought to lie in: the invention can effectively early warn different types of APT attacks, has flexible deployment mode and is suitable for various industrial network environments. The invention adopts a specially developed simulation operation mode, has high operation speed and less occupied resources, and can effectively identify the risk behaviors.
Drawings
FIG. 1 is a system schematic of one embodiment of the present invention.
Detailed Description
Referring to fig. 1, one embodiment of the present invention includes,
an APT attack early warning system comprises,
the acquisition module 1 is used for acquiring network communication data;
the data storage module 2 is used for temporarily storing the acquired network communication data;
the simulation operation module 3 is used for carrying out simulation operation on the acquired network communication data;
the risk analysis module 4 is used for analyzing various risk behaviors;
the risk early warning module 5 is used for early warning the analyzed risk behaviors;
and the risk correlation module 6 is used for performing correlation analysis on different risk behaviors and correcting the early warning result.
An early warning method of the APT attack early warning system comprises the following steps:
A. the acquisition module 1 acquires network communication data and sends the network communication data to the data storage module 2;
B. the simulation operation module 3 calls data from the data storage module 2 to perform simulation operation;
C. the risk analysis module 4 monitors the operation process in real time and analyzes risk behaviors;
D. the risk early warning module 5 carries out early warning on the analyzed risk behaviors;
E. and the risk correlation module 6 performs correlation analysis on the analyzed risk behaviors and corrects the early warning result.
In the step A, a periodic acquisition mode is adopted for acquiring network communication data, the acquisition period is divided into a fixed period and a non-fixed period, and the non-fixed period is in direct proportion to the real-time early warning quantity; the data storage module 2 encapsulates the acquired data, and the data cache information is encapsulated into the data structure body as a packet header in the encapsulation process.
In the step B, the data storage module 2 allocates data operation spaces according to the data cache information of the data structure, allocates the data structures with the same type of data cache information to the same data operation space to perform time division multiplexing simulation operation, and performs synchronous parallel operation on the data structures with the same destination address operating in different data operation spaces.
In the step C, by setting the static nodes, the risk analysis module 4 extracts the behavior characteristics in the simulation operation process, compares the behavior characteristics with the risk behavior characteristics prestored in the risk database, and determines the behavior with the comparison similarity higher than the threshold as the risk behavior.
In step C, the behavior characteristics include a link behavior characteristic, a target behavior characteristic, a protocol behavior characteristic, and an access behavior characteristic.
In the step E, judging the association degree of the behaviors according to the weighted average value of the link coincidence degree and the target consistency degree of the behavior characteristics of each link; and when the behavior association degree of the behavior characteristics exceeds a threshold value, the behavior containing the behavior characteristics is considered as risk behavior.
The threshold values in the embodiment are set by using the method for carrying out limited tests according to actual working conditions.
The foregoing shows and describes the general principles and broad features of the present invention and advantages thereof. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed. The scope of the invention is defined by the appended claims and equivalents thereof.
Claims (3)
1. An early warning method of an APT attack early warning system, the APT attack early warning system comprises,
the acquisition module (1) is used for acquiring network communication data;
the data storage module (2) is used for temporarily storing the acquired network communication data;
the simulation operation module (3) is used for carrying out simulation operation on the acquired network communication data;
the risk analysis module (4) is used for analyzing various risk behaviors;
the risk early warning module (5) is used for early warning the analyzed risk behaviors;
the risk correlation module (6) is used for performing correlation analysis on different risk behaviors and correcting the early warning result;
the method is characterized by comprising the following steps:
A. the acquisition module (1) acquires network communication data and sends the network communication data to the data storage module (2); the method comprises the following steps of (1) acquiring network communication data in a periodic acquisition mode, wherein an acquisition period is divided into a fixed period and a non-fixed period, and the non-fixed period is in direct proportion to the real-time early warning quantity; the data storage module (2) encapsulates the acquired data, and data cache information is encapsulated into a data structure body as a packet header in the encapsulation process;
B. the simulation operation module (3) calls data from the data storage module (2) to perform simulation operation; the data storage module (2) allocates data operation spaces according to data cache information of the data structure bodies, allocates the data structure bodies with the same type of data cache information to the same data operation space for time-sharing multiplexing simulation operation, and synchronously and parallelly operates the data structure bodies with the same destination address operating in different data operation spaces;
C. the risk analysis module (4) monitors the operation process in real time and analyzes risk behaviors;
D. the risk early warning module (5) carries out early warning on the analyzed risk behaviors;
E. and the risk correlation module (6) performs correlation analysis on the analyzed risk behaviors and corrects the early warning result.
2. The warning method of the APT attack warning system according to claim 1, wherein: and in the step C, the risk analysis module (4) extracts the behavior characteristics in the simulation operation process, compares the behavior characteristics with the risk behavior characteristics prestored in the risk database, and determines the behavior with the comparison similarity higher than the threshold as the risk behavior.
3. The warning method of the APT attack warning system according to claim 2, wherein: in step C, the behavior characteristics include a link behavior characteristic, a target behavior characteristic, a protocol behavior characteristic, and an access behavior characteristic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810704938.XA CN108848102B (en) | 2018-07-02 | 2018-07-02 | APT attack early warning system and early warning method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810704938.XA CN108848102B (en) | 2018-07-02 | 2018-07-02 | APT attack early warning system and early warning method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108848102A CN108848102A (en) | 2018-11-20 |
| CN108848102B true CN108848102B (en) | 2021-04-13 |
Family
ID=64201066
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810704938.XA Active CN108848102B (en) | 2018-07-02 | 2018-07-02 | APT attack early warning system and early warning method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108848102B (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607388A (en) * | 2013-11-18 | 2014-02-26 | 浪潮(北京)电子信息产业有限公司 | APT threat prediction method and system |
| CN104850780A (en) * | 2015-04-27 | 2015-08-19 | 北京北信源软件股份有限公司 | Discrimination method for advanced persistent threat attack |
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN105141598A (en) * | 2015-08-14 | 2015-12-09 | 中国传媒大学 | APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection |
| CN105260662A (en) * | 2014-07-17 | 2016-01-20 | 南京曼安信息科技有限公司 | Detection device and method of unknown application bug threat |
| CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
| CN105553957A (en) * | 2015-12-09 | 2016-05-04 | 国家电网公司 | Network safety situation awareness early-warning method and system based big data |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
| CN107645503A (en) * | 2017-09-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of detection method of the affiliated DGA families of rule-based malice domain name |
| CN108229153A (en) * | 2016-12-21 | 2018-06-29 | 青岛祥智电子技术有限公司 | A kind of advanced duration threatens the method for discrimination of attack |
-
2018
- 2018-07-02 CN CN201810704938.XA patent/CN108848102B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607388A (en) * | 2013-11-18 | 2014-02-26 | 浪潮(北京)电子信息产业有限公司 | APT threat prediction method and system |
| CN105260662A (en) * | 2014-07-17 | 2016-01-20 | 南京曼安信息科技有限公司 | Detection device and method of unknown application bug threat |
| CN104850780A (en) * | 2015-04-27 | 2015-08-19 | 北京北信源软件股份有限公司 | Discrimination method for advanced persistent threat attack |
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN105141598A (en) * | 2015-08-14 | 2015-12-09 | 中国传媒大学 | APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection |
| CN105262726A (en) * | 2015-09-10 | 2016-01-20 | 中国人民解放军信息工程大学 | APT (Advanced Persistent Threat) attack detection method based on big data behavior sequence analysis |
| CN105721416A (en) * | 2015-11-16 | 2016-06-29 | 哈尔滨安天科技股份有限公司 | Apt event attack organization homology analysis method and apparatus |
| CN105553957A (en) * | 2015-12-09 | 2016-05-04 | 国家电网公司 | Network safety situation awareness early-warning method and system based big data |
| CN108229153A (en) * | 2016-12-21 | 2018-06-29 | 青岛祥智电子技术有限公司 | A kind of advanced duration threatens the method for discrimination of attack |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
| CN107645503A (en) * | 2017-09-20 | 2018-01-30 | 杭州安恒信息技术有限公司 | A kind of detection method of the affiliated DGA families of rule-based malice domain name |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108848102A (en) | 2018-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20240137377A1 (en) | Cognitive information security using a behavior recognition system | |
| CN114205106B (en) | Deep embedded self-learning system and method for detecting suspicious network behavior | |
| CN106657057B (en) | Anti-crawler system and method | |
| CN111245848B (en) | Industrial control intrusion detection method for hierarchical dependency modeling | |
| CN109660518A (en) | Communication data detection method, device and the machine readable storage medium of network | |
| CN114584351A (en) | Monitoring method, monitoring device, electronic equipment and storage medium | |
| CN108848102B (en) | APT attack early warning system and early warning method thereof | |
| KR20220055923A (en) | Method for detecting ddos attack based on hybrid learning combined with supervised learning and unsupervised learning | |
| CN111191683B (en) | Network security situation assessment method based on random forest and Bayesian network | |
| CN109190375A (en) | Analyze the equation group and rogue program DIFFUSION PREDICTION method of rogue program propagation law | |
| US20230254340A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| Anastasiadis et al. | A novel high-interaction honeypot network for internet of vehicles | |
| CN111191230B (en) | Rapid network attack backtracking mining method and application based on convolutional neural network | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| KR102609592B1 (en) | Method and apparatus for detecting abnormal behavior of IoT system | |
| CN117009963A (en) | System and method for machine learning based malware detection | |
| US20240048570A1 (en) | Device and Method for Generating a Response to an Attack in a Communication Network Using Machine Learning | |
| CN113810386B (en) | Method and device for extracting training data for network security from big data | |
| CN112969180A (en) | Wireless sensor network attack defense method and system under fuzzy environment | |
| CN103297293B (en) | Message detecting method and device | |
| CN114268484A (en) | Malicious encrypted flow detection method and device, electronic equipment and storage medium | |
| CN114124834A (en) | Integrated learning device and method for ICMP (information control network protocol) hidden tunnel detection in industrial control network | |
| CN113159992A (en) | Method and device for classifying behavior patterns of closed-source power engineering control system | |
| Magnani et al. | Enhancing Network Intrusion Detection: An Online Methodology for Performance Analysis | |
| CN106487771A (en) | The acquisition methods of intrusion behavior and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |