In the prior art, in network attack become increasingly complex, influence military, in terms of business also increasingly
Extensively, the unpredictability attacked leads to the difficulty of advanced duration detection more, and the development of the attack is embodied in attack
The degree of automation and attack speed for the various attack means that person uses greatly improve, long-term after smoothly penetrating into internal network
Dormancy constantly obtains relevant sensitization information and continues to lift up permission by every means, in a network until obtaining important sensitive information
Until.The attack high for concealment needs that it is found and is handled in time, the main body of operating system is protected to pacify
Entirely.However, when hacker grasps the unknown loophole of network management personnel, and obtain back door permission, behavior like normal users so that
It is only just being found when there is loss of assets under attack, is just doing emergency processing, the extent of damage can only be reduced, can not be
When avoid.
Advanced duration threatens attack (Advanced Persistent Threat, APT) that may deposit in user environment
At 1 year or more or more long, various information are constantly collected, until being collected into valuable information.And these start advanced duration to threaten
The purpose of hacker of attack is frequently not but " controlled host " to be treated as springboard to make a profit in a short time, lasting to search for, directly
To can thoroughly grasp targeted target person, thing, object.The feature that there is duration to be even up to the several years for this attack, attacker
The various attack means continuously attempted to, and live in seclusion for a long time after penetrating into network internal, allow network management personnel to have no way of discovering.
Although APT is much like with common attack behavior on attack process, in specific steps, there is mesh as one kind
Mark, organized attack pattern, the attack feature of APT is difficult to extract, the hidden ability of single-point is strong, attack channel diversities,
The attack duration is long, so that defense mechanism of the tradition based on real-time detection, real-time blocking is difficult to effectively play a role.
It finds by prior art documents, Chinese Patent Application No. are as follows: CN201710802670 .9 is entitled
" network safety event process analysis method and system based on timeline ", this method comprises: obtaining by the log of object of attack
Document location;Read the journal file being located at log file location;According to logging time line algorithm in journal file
Appearance is analyzed, to obtain the attack path of object of attack in network safety event.The network based on timeline in the invention
Security incident process analysis method can automatically analyze the content in journal file, more intelligently, improve efficiency, and
And be the analysis carried out by logging time line algorithm to the content in journal file, it can obtain attacking in network safety event
The attack path for hitting object, the attack path of object of attack can not be restored by alleviating traditional artificial analysis method, and
Analysis efficiency is low, the technical problem of degree of intelligence difference.The technology is subsequent reduction, can not accomplish to prejudge in advance, even if reduction
The attack path of hacker, it is also difficult to retrieve the loss having resulted in.
Summary of the invention
In view of the deficienciess of the prior art, it is an object of the present invention to provide a kind of advanced durations based on attack time line
Threat analysis method, to solve the problems mentioned in the above background technology.
To achieve the goals above, the present invention is to realize by the following technical solutions: one kind is based on attack time line
Advanced duration threat analysis method, include the following steps:
S1: all executable programs of adapter system kernel and pipeline enumerate all-network channel;
S2: longitudinal monitoring: the consumer process and network behavior of detection abnormal activity time;
S3: it transboundary submits the software of capture to execute API information from inner nuclear layer and gives behavioral analysis engine to application layer, judge whether
It is continued to execute if then issuing alarm if not then jumping to S4 for attack;
S4: laterally monitoring: the behavior of these users is persistently monitored, return step 3 continues to execute.
The S1 includes the following steps:
S1.1: all programs of adapter system kernel execute pipeline, capture sorts of systems and apply layer operation, will be in implementation procedure
It is all kinds of it is instruction morphing detected for reference format, process performing is converted operational order by including PE file and all kinds of scripts,
I.e. using executive process and order pipeline all in kernel function adapter system, internal implementation procedure and api function tune are captured
With situation, instruction is converted by implementation procedure and is detected;
S1.2: being confusion mode by Network card setup, various types protocol data packet is obtained by network layer, in different network layers
On data packet is extracted, obtain suspicious characteristic in data, extraction obtains suspicious behavioural characteristic.
The S2 includes the following steps:
S2.1: it is analyzed in conjunction with local port, the data port occurred in network flow, if the application that local API can not be obtained
Port, then it is assumed that be potential attack data port, system is alerted;If port information and local acquisition in network flow
Port information it is consistent, then it is assumed that be normal use port numbers, be not processed;
S2.2: Enumerate network channel, the network channel includes: remote desktop, the shared pipeline of IPC, according to time difference feature, IP
White list mechanism, when abnormal between intercept the network channel request that exception IP is issued, and for attacker's common IPC channel reality
Control is applied, when the abnormal behaviour of discovery, system alarm;
S2.3: the generation of All Files inside monitoring system is renamed, is rewritten, access, executes, from the file of any variation
Extract abnormal keyword message;If detecting abnormal keyword message, foundation and system file such as in system folder
Executable file similar in name, or executable program is run in Photo folder, then system carries out alarming processing;
S2.4: when detecting the consumer process and network behavior of abnormal activity time, further being tracked, and is determined and is obtained net
The self attributes such as feature, dynamic domain name, control terminal network address, circulation way, route of transmission and the author of network security threat letter
Breath.
Further, the data packet in local IP link layer sniff Jing Guo the machine, Dynamic Recognition TCP, UDP, DNS,
ICMP type of data packet and data port information extract behavioural characteristic suspicious in application layer data, i.e., include in behavioural characteristic
The malicious operation of attack instructs.
Further, the variation includes: the newly-increased of file, modification, file format change and deletes.
Further, the keyword message includes: filename, file type, file present position, operating time.
Beneficial effects of the present invention: a kind of advanced duration threat analysis method based on attack time line of the invention,
In the behavioural information of operating system inner passage capture process and kernel, by analyzing the suspicious degree of operation behavior, and match
Intrusion feature database carries out decision, dynamic analysis network flow data and feature, excavates the user behavior of abnormal activity time, really
Surely it whether there is the attack of malice, and continue to track, threatened to reach the advanced duration of detection, detection efficiency is high, energy
Enough more fully behavior situation of the analytical attack in system level.
Specific embodiment
To be easy to understand the technical means, the creative features, the aims and the efficiencies achieved by the present invention, below with reference to
Specific embodiment, the present invention is further explained.
Referring to Fig. 1, the present invention provides a kind of technical solution: a kind of advanced duration threat point based on attack time line
Analysis method, includes the following steps:
S1: all executable programs of adapter system kernel and pipeline enumerate all-network channel;
S2: longitudinal monitoring: the consumer process and network behavior of detection abnormal activity time;
S3: it transboundary submits the software of capture to execute API information from inner nuclear layer and gives behavioral analysis engine to application layer, judge whether
It is continued to execute if then issuing alarm if not then jumping to S4 for attack;
S4: laterally monitoring: the behavior of these users is persistently monitored, return step 3 continues to execute.
The S1 includes the following steps:
S1.1: all programs of adapter system kernel execute pipeline, capture sorts of systems and apply layer operation, will be in implementation procedure
It is all kinds of it is instruction morphing detected for reference format, process performing is converted operational order by including PE file and all kinds of scripts,
I.e. using executive process and order pipeline all in kernel function adapter system, internal implementation procedure and api function tune are captured
With situation, instruction is converted by implementation procedure and is detected;
S1.2: being confusion mode by Network card setup, various types protocol data packet is obtained by network layer, in different network layers
On data packet is extracted, obtain suspicious characteristic in data, extraction obtains suspicious behavioural characteristic.
The S2 includes the following steps:
S2.1: it is analyzed in conjunction with local port, the data port occurred in network flow, if the application that local API can not be obtained
Port, then it is assumed that be potential attack data port, system is alerted;If port information and local acquisition in network flow
Port information it is consistent, then it is assumed that be normal use port numbers, be not processed;
S2.2: Enumerate network channel, the network channel includes: remote desktop, the shared pipeline of IPC, according to time difference feature, IP
White list mechanism, when abnormal between intercept the network channel request that exception IP is issued, and for attacker's common IPC channel reality
Control is applied, when the abnormal behaviour of discovery, system alarm;
S2.3: the generation of All Files inside monitoring system is renamed, is rewritten, access, executes, from the file of any variation
Extract abnormal keyword message;If detecting abnormal keyword message, foundation and system file such as in system folder
Executable file similar in name, or executable program is run in Photo folder, then system carries out alarming processing;
S2.4: when detecting the consumer process and network behavior of abnormal activity time, further being tracked, and is determined and is obtained net
The self attributes such as feature, dynamic domain name, control terminal network address, circulation way, route of transmission and the author of network security threat letter
Breath.
In data packet of the local IP link layer sniff Jing Guo the machine, Dynamic Recognition TCP, UDP, DNS, ICMP data packet
Type and data port information extract behavioural characteristic suspicious in application layer data, i.e., include network attack row in behavioural characteristic
For malicious operation instruction.
The variation includes: the newly-increased of file, modification, file format change and deletes.
The keyword message includes: filename, file type, file present position, operating time.
A kind of advanced duration threat analysis method based on attack time line provided according to the present invention, can be
Under the premise of meeting testing requirements, hacker is obtained as far as possible in the behavioural analysis data of internal system, while to network data flow
Monitored in real time, judge in data flow can with Characteristics of Damage lead to when hacker obtains the long-term access right by object of attack
Analysis timeline is crossed to distinguish normal users behavior and improper user behavior, pays special attention to what non-normal hours were accessed and operated
User is individually handled, and tracking is traceable to original access path, to the process and command line parameter captured, detection
It is suspicious to execute instruction and code.It is mainly used to analyze the attack of malicious code, and is joined with local attack behavior
Dynamic analysis.
Specifically, for Windows operating system, this refers to the advanced duration threats under Windows system environments
Detection method, using the behavioural information of internal system channel capture process and kernel, by analyzing the suspicious degree of operation behavior,
And match intrusion feature database and carry out decision, dynamic analysis network flow data and spy detect.Excavate the user of abnormal activity time
Behavior, it is determined whether there are the attacks of malice, to achieve the purpose that the advanced duration of detection threatens.
For Windows operating system lower network attack, it is primarily referred to as the detection threatened advanced duration, specifically
Testing process as shown in Figure 1, including the following steps:
The first step, it is longitudinal to monitor: the consumer process and network behavior of detection abnormal activity time: all journeys of adapter system kernel
Sequence executes pipeline, captures sorts of systems and applies layer operation, that is, captures the operation of all feasibilitys, including PE file and all kinds of feet
This;It converts process performing to operational order (have observability), i.e., instruction morphing is by all kinds of in specific implementation procedure
Reference format is detected.Specifically, using executive process and order pipeline all in kernel function adapter system, in capture
Portion's implementation procedure and api function call situation.Instruction is converted by implementation procedure to detect.It is to obscure mould by Network card setup
Formula obtains various types protocol data packet by network layer, extracts in different network layers to data packet, obtains data
In suspicious characteristic, suspicious behavioural characteristic is analyzed in combination with local port.Specifically, it is smelt in local IP link layer
Visit the data packet Jing Guo the machine, Dynamic Recognition TCP, UDP, DNS, ICMP type of data packet and data port information, rapidly extracting
Suspicious characteristic in application layer data.All-network channel is enumerated, (includes but are not limited to remote desktop, the shared pipe of IPC
Road), according to temporal characteristics, IP information searches abnormal connection behavior that may be present.Specifically, according to time difference feature, IP is white
Name single-unit, when abnormal between intercept exception IP issue network channel request, for common IPC channel implement high intensity
Control.File operation is monitored, including is generated, is renamed, is rewritten, access, execute etc., the crucial letter of detection is extracted from file variation
Breath, including file name, type, feature are monitored.Specifically, the generation of monitoring windows system the inside All Files, weight
Name is rewritten, access, execute etc., abnormal keyword message is extracted from the file of any variation, particular for executable PE
The shell scripts such as program, ASP, PHP, JavaScipt are monitored.
Second step actively transboundary submits capture data to give behavior to application layer from inner nuclear layer release signal from inner nuclear layer
Analysis engine.Transboundary data drive for ratification layer encryption submit avoid in by other driving intercept and capture, avoid maliciously being driven
It intercepts.Abnormal behaviour strategy repository by attack signature storehouse matching and based on service environment alerts suspicious actions.
Third step laterally monitors: persistently monitoring the behavior of these users.
The present invention is by process performing abnormal in system, network behavior and file operation behavioural analysis, and long-term monitoring,
The operation that advanced lasting sexual assault may occur in systems is alerted.
The present invention have passed through functional test, and test result shows the present invention for the common advanced row for continuing sexual assault
For with good verification and measurement ratio;Especially under Windows system platform the case where permeated and attacked by network,
Attack detecting rate is higher;The detection method being capable of more fully behavior situation of the analytical attack in system level;Even if attack ratio
When more complex, it is also capable of detecting when a part of attack operation behavior.
Specific embodiments of the present invention are described above.It is to be appreciated that the invention is not limited to above-mentioned
Particular implementation, those skilled in the art can make a variety of changes or modify within the scope of the claims, this not shadow
Ring substantive content of the invention.In the absence of conflict, the feature in embodiments herein and embodiment can any phase
Mutually combination.
After hacker obtains user right, user behavior normal for one, security system is to be difficult to differentiate this work
It is dynamic to come from ordinary user or hacker, because hacker when implementing the threat of advanced duration, is finally obtaining important information
Before data, specific activity is not carried out in hacker, and the activity of harmful suspicion is not carried out, preferably to hide oneself, very
Extremely also without wide range operation after possessing the lawful authority of access application-specific or data.All users are carried out
The monitoring of unrelated active path can a large amount of occupying system resources and space.
It is to carry out after finding assets property loss, but hacker is easy to pass through phase that common hacker's identity, which is traced to the source,
With means or upgrading means, network management personnel can be cheated long by changing an ip and changing a login path, then more for going through
The analysis of history data is also of no avail.
Even best security system is all difficult to differentiate a specific activity, whether harmful suspicion or user are
The no lawful authority for having access application-specific or data.And by longitudinal timeline, we can look in non-normal hours
The hacker of normal users behavior is carried out out.By the historical record of timeline, the mechanics of hacker is laterally found, to prejudge
It invades next time.
By monitoring User Activity, we have been able to determine whether that a remote session is opened for specific user, or
Whether the user has some unrelated active paths in mutually in the same time, especially pays close attention to the use for being once used to carry out deception movement
Whether synchronization has logged in the information such as another work station by family identity and the same user.
The above shows and describes the basic principles and main features of the present invention and the advantages of the present invention, for this field skill
For art personnel, it is clear that invention is not limited to the details of the above exemplary embodiments, and without departing substantially from spirit of the invention or
In the case where essential characteristic, the present invention can be realized in other specific forms.Therefore, in all respects, should all incite somebody to action
Embodiment regards exemplary as, and is non-limiting, the scope of the present invention by appended claims rather than on state
Bright restriction, it is intended that including all changes that fall within the meaning and scope of the equivalent elements of the claims in the present invention
It is interior.Any reference signs in the claims should not be construed as limiting the involved claims.
In addition, it should be understood that although this specification is described in terms of embodiments, but not each embodiment is only wrapped
Containing an independent technical solution, this description of the specification is merely for the sake of clarity, and those skilled in the art should
It considers the specification as a whole, the technical solutions in the various embodiments may also be suitably combined, forms those skilled in the art
The other embodiments being understood that.