CN111464507A - APT detection method based on network alarm information - Google Patents

APT detection method based on network alarm information Download PDF

Info

Publication number
CN111464507A
CN111464507A CN202010185737.0A CN202010185737A CN111464507A CN 111464507 A CN111464507 A CN 111464507A CN 202010185737 A CN202010185737 A CN 202010185737A CN 111464507 A CN111464507 A CN 111464507A
Authority
CN
China
Prior art keywords
attack
apt
chain
nodes
alarm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010185737.0A
Other languages
Chinese (zh)
Inventor
陈兵
成翔
李晨
谢淀刚
蒋林志
朴明庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN202010185737.0A priority Critical patent/CN111464507A/en
Publication of CN111464507A publication Critical patent/CN111464507A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an APT detection method based on network alarm, which comprises the following steps: step 1: classifying APT alarm instances in the network alarm cluster according to the APT attack steps to obtain an APT alarm instance corresponding to the attack step P, an APT alarm instance corresponding to the attack step C, an APT alarm instance corresponding to the attack step A and an APT alarm instance corresponding to the attack step D; the APT attack step comprises P, C, A and D in time order; step 2: reading each APT alarm instance into a corresponding structure to form an attack node; and step 3: performing chaining operation on all attack nodes according to a chaining rule to obtain a chain group A consisting of one or more attack chains; and 4, step 4: performing chain breaking operation on the attack chain which accords with the chain breaking rule in the chain group A to obtain a chain group B; and 5: and sequentially judging the number of nodes of each attack chain in the chain group B, and obtaining an APT attack detection result based on the number of the nodes.

Description

APT detection method based on network alarm information
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an APT (active power test) detection method based on network alarm information.
Background
In the prior art, an audit flow APT detection method is adopted to find out problematic data flow by carrying out abnormal detection on network data flow, but the detection rate effect is poor, the false alarm rate is relatively high, various abnormal flows are difficult to directly find out the problems, and the novel attack mode is difficult to prevent.
In the prior art, a big data APT detection method is also commonly adopted to detect the data flow at each time by using a big data method to find out abnormal flow, the detection rate is higher, the false alarm rate is still higher, the data volume demand is huge, and each computer has different software, so that the problem can not be found out by a statistical method in a lot of time.
The Advanced Persistent attack (APT attack) is a new network attack mode which is newly appeared in recent years, has the characteristics of concealment, advancement, persistence and the like, and can cause serious damage to a target system, and the two detection methods cannot detect the Advanced Persistent attack (APT attack).
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides an APT detection method based on network alarm information, which improves the detection success rate of APT attack and reduces the false alarm rate.
The technical scheme is as follows: an APT detection method based on network alarm comprises the following steps:
step 1: classifying APT alarm instances in the network alarm cluster according to the APT attack steps to obtain an APT alarm instance corresponding to the attack step P, an APT alarm instance corresponding to the attack step C, an APT alarm instance corresponding to the attack step A and an APT alarm instance corresponding to the attack step D; the APT attack step comprises P, C, A and D in time order;
step 2: reading each APT alarm instance into a corresponding structure to form an attack node, wherein the structure comprises the stored attack step type corresponding to the APT alarm instance;
and step 3: performing chaining operation on all attack nodes according to a chaining rule to obtain a chain group A consisting of one or more attack chains;
and 4, step 4: performing chain breaking operation on the attack chain which accords with the chain breaking rule in the chain group A to obtain a chain group B;
and 5: and sequentially judging the number of nodes of each attack chain in the chain group B, and obtaining an APT attack detection result based on the number of the nodes, wherein the more the number of the attack nodes is close to 4, the higher the APT attack possibility is.
Further, the chaining rule includes:
(1) the APT attack steps corresponding to attack nodes in the same attack chain are different;
(2) the arrangement of attack nodes in the same attack chain needs to be according to the order of the corresponding APT attack steps P- > C- > A- > D;
(3) the connection of the attack node can only be carried out backwards;
(4) and connecting the attack node to be embedded into the attack chain with the maximum similarity by judging the similarity between the attack node to be embedded and one or two attack nodes at the tail end of the connectable attack chain.
Further, the link breaking rule comprises the steps of introducing a parameter L, judging whether the IP of the host attacked by two attack nodes in the same attack chain is the same, if so, setting a parameter L to be 1, otherwise, setting a parameter to be 0, performing link breaking operation when the parameter L is 0, and if the parameter L is 1, reserving the attack chain.
Further, in the chaining rule, a timestamp between the attack node corresponding to the attack step D and the attack node corresponding to the attack step P is less than a duration of completing the full APT attack.
Further, by using the formulas (2) to (4), the similarity between the two attack nodes is calculated:
Figure BDA0002414112060000021
in the formula, I (c)mAnd I (c)nRespectively representing an attack node, Co (I (c))m) And Co (I (c)n) Respectively represent and I (c)mAnd I (c)nAssociated attack node, A (I (c))m) And A (I (c)n) Respectively represent I (c)mAnd I (c)nProperty of (2), A (I (c))m)∪A(I(c)n) Is represented by the formula I (c)mAnd I (c)nThere are different numbers of attributes between.
Has the advantages that: the detection algorithm of the invention can effectively improve the detection success rate of the APT attack and greatly reduce the false alarm rate.
Drawings
FIG. 1 is a schematic diagram of a chaining rule;
FIG. 2 is a schematic diagram of a chain scission rule.
Detailed Description
The invention is further illustrated below with reference to the figures and examples.
The APT detection method based on the network alarm information comprises the following steps:
step 1: based on the network alarm information, a group of data groups simulating the APT attack is generated, the attributes of the group are shown in table 1, the IP of the group can be set to be in the same local area network, in this case, the simulated APT attack times can be increased, the time is to randomly fetch the data in several months, and the data groups are stored in a txt file for storage.
TABLE 1
Figure BDA0002414112060000031
Step 2: reading the data in the txt file for storing the data, wherein the read data needs to be sorted according to time at the later stage, and the read data can be sorted by using an insertion sorting method because the file reading speed is relatively slow. Each data is read into the structure, the structure is just a node, and the structure should include what attack type the data belongs to, and table 2 sets the size of the timestamp for the attack type adopted in this embodiment.
TABLE 2
Figure BDA0002414112060000032
TABLE 3 complete APT attack procedure
Figure BDA0002414112060000041
And step 3: the chaining operation is performed with reference to fig. 1: the similarity among the nodes is calculated, the nodes are preliminarily divided into attack examples according to a chaining rule, namely, a plurality of nodes are connected according to the chaining rule to obtain an attack chain, first data is put into the corresponding first attack chain, and the node in the attack chain is divided according to the attack type. Each attack chain comprises all or part of types of nodes in P, C, A and D.
The chaining rule of this embodiment is as follows:
(1) nodes belonging to different attack types can be classified in the same attack chain;
(2) the attack type must follow the order of P- > C- > a- > D and the difference between the timestamps of the nodes belonging to attack type D and to attack type P must be less than the time it takes to complete the entire attack chain;
(3) the connection of the nodes can only be done backwards. If the first node is the node of the attack type C, the subsequent nodes can be connected with the node A firstly and then connected with the node D;
(4) in the process of chaining, similarity calculation needs to be carried out on two nodes and nodes before and after the two nodes, and the similarity calculation is higher to be chained with the two nodes; if the node of the attack type P exists, the node of the next attack type C is connected with the node of the next attack type P, the similarity between the two nodes needs to be seen, and the embedding with the maximum similarity is carried out;
in order to conveniently understand the chaining rule, the first attack node is a node of an attack type C and forms an attack chain by itself, the second attack node is a node of an attack type P, the rule 3 can only be connected backwards, so that the second attack node forms an attack chain by itself, the third attack node is a node of the attack type C, whether the difference of the timestamps between the third attack node and the second attack node exceeds the duration for completing the whole attack chain is judged, if so, the third attack node forms an attack chain by itself, and if not, the third attack node is connected to the back of the second attack node; the fourth attack node is a node of the attack type A, whether the difference of the timestamps between the fourth attack node and the first attack node exceeds the duration time for completing the whole attack chain or not and whether the difference of the timestamps between the fourth attack node and the third attack node exceeds the duration time for completing the whole attack chain or not are judged, if not, the similarity is calculated according to a rule 4, and the fourth attack node is connected to the back of the attack node with high similarity; if the difference of one timestamp exceeds, connecting a fourth attack node behind the attack node of which the difference of the timestamps does not exceed; and if the number of the attack nodes exceeds the preset threshold, the fourth attack node becomes an attack chain.
And 4, step 4: the chain scission operation is performed with reference to fig. 2: after the chaining operation is completed, a large number of attack chains are obtained, wherein the attacker IP of each attack chain may be different, so that the disconnection operation needs to be performed on such attack chains.
And 5: so far, for all attack chains, if the number of nodes in the attack chain is not 1, the node is bound to be attacked by APT. The possibility of the APT attack can be judged according to the number of the nodes, if the number of the nodes is 4, the attack possibility is the largest, if the number of the nodes is 1, the nodes are not attacked, and if the number of the nodes is 2, the nodes have certain possibility of being attacked.
The number of attack nodes is 1: APT alarm instances in the cluster have no causal relationship with each other, and an APT attack scene cannot be formed;
the number of attack nodes is 2: the APT alarm instances in the cluster may generate associations between two APT alarm instances, which may construct a subset of two node chains of a complete APT attack scenario;
the number of attack nodes is 3: the APT alarm instances in the cluster may generate associations between three APT alarm instances, which may construct a subset of three node chains of a complete APT attack scenario;
the number of attack nodes is 4: the APT alert instances in the cluster may generate associations between three APT alert instances, which may construct a complete APT attack scenario.
The core of the embodiment is a similarity algorithm, the similarity between two nodes is calculated, not only the relationship of the attributes is calculated, but also the relationship between the front node and the rear node of the two nodes is added into the similarity calculation, and the calculation precision of the similarity algorithm is greatly improved. If the attributes of the two nodes are completely the same, the similarity is set to 1, if the attributes of the two nodes are completely different, the similarity is set to 0, if the attributes of the two nodes are not completely the same, the two nodes are calculated according to the following formula, the attributes are compared, and then the two nodes are converged into a similarity value finally through an iterative algorithm.
Figure BDA0002414112060000051
In the formula, I (c)mAnd I (c)nRespectively representing an attack node, Co (I (c))m) And Co (I (c)n) Respectively represent and I (c)mAnd I (c)nAssociated attack node, A (I (c))m) And A (I (c)n) Respectively represent I (c)mAnd I (c)nProperty of (2), A (I (c))m)∪A(I(c)n) Is represented by the formula I (c)mAnd I (c)nThere are different numbers of attributes between.
In step 3 of this embodiment, a parameter L is set according to whether the attacked host IP is the same between every two nodes, and then the link is broken according to this parameter, and if a certain attack chain has four types of attack, P, C, a, and D, at the same time, in the broken link result, it indicates that an APT attack exists, a specific link breaking rule is as follows, where L is set to 1 if the attacked host IP is the same between two nodes, and an attack chain formed by connecting three attack nodes is taken as an example, and the parameter L may have the following situations:
(1, 1) the host IP of each node attack in the attack chain is consistent, and the situation can be determined as an APT attack scene.
(0, 1) indicating that the latest two alarm instances are more similar than the previous two alarm instances, canceling the first link of the instance cluster, constructing a new instance cluster, acquiring the latest two alarm instances, and waiting for the association; in short, a complete attack chain cannot be formed yet, and the next association needs to be waited;
(1, 0) indicates that there is evidence to assign a third instance of an alarm, just to wait for a later instance of the alarm; in short, a complete attack chain cannot be formed yet, and the next association needs to be waited;
(0, 0) indicates that there is no evidence to assign a third alarm instance, just to wait for a later alarm instance, in short, a complete attack chain has not been constructed yet, requiring waiting for the next correlation.
By adopting the detection method of the embodiment, the detection rate reaches 83.3%, the false alarm rate is 0.02%, and the time is 1, while by adopting the existing audit flow algorithm, the detection rate is 78.5%, the false alarm rate is 0.08%, and the time is 1.5%; by adopting the existing big data detection method, the detection rate is 85.8%, the false alarm rate is 0.05%, and the time is 2, so that the detection method of the embodiment has the advantages of better detection rate than the audit flow method, better false alarm rate than the big data detection method, and better time than the existing two algorithms.

Claims (5)

1. An APT detection method based on network alarm is characterized in that: the method comprises the following steps:
step 1: classifying APT alarm instances in the network alarm cluster according to the APT attack steps to obtain an APT alarm instance corresponding to the attack step P, an APT alarm instance corresponding to the attack step C, an APT alarm instance corresponding to the attack step A and an APT alarm instance corresponding to the attack step D; the APT attack step comprises P, C, A and D in time order;
step 2: reading each APT alarm instance into a corresponding structure to form an attack node, wherein the structure comprises the stored attack step type corresponding to the APT alarm instance;
and step 3: performing chaining operation on all attack nodes according to a chaining rule to obtain a chain group A consisting of one or more attack chains;
and 4, step 4: performing chain breaking operation on the attack chain which accords with the chain breaking rule in the chain group A to obtain a chain group B;
and 5: and sequentially judging the number of nodes of each attack chain in the chain group B, and obtaining an APT attack detection result based on the number of the nodes, wherein the more the number of the attack nodes is close to 4, the higher the APT attack possibility is.
2. The APT detection method based on network alarm according to claim 1, characterized in that: the chaining rule comprises:
(1) the APT attack steps corresponding to attack nodes in the same attack chain are different;
(2) the arrangement of attack nodes in the same attack chain needs to be according to the order of the corresponding APT attack steps P- > C- > A- > D;
(3) the connection of the attack node can only be carried out backwards;
(4) and connecting the attack node to be embedded into the attack chain with the maximum similarity by judging the similarity between the attack node to be embedded and one or two attack nodes at the tail end of the connectable attack chain.
3. The APT detection method based on network alarm of claim 1, wherein the chain breaking rule includes introducing a parameter L, determining whether the IP of the host attacked by two attack nodes in the same attack chain is the same, if so, setting a parameter L to 1, otherwise, setting a parameter to 0, performing a chain breaking operation when the parameter L is 0, and if the parameter L is 1, reserving the attack chain.
4. The APT detection method based on network alarm according to claim 2, characterized in that: in the chaining rule, the time stamp between the attack node corresponding to the attack step D and the attack node corresponding to the attack step P is less than the time for completing the complete APT attack.
5. The APT detection method based on network alarm according to claim 2, characterized in that: and (3) calculating the similarity between the two attack nodes by adopting the formulas (2) to (4):
Figure FDA0002414112050000011
Figure FDA0002414112050000021
in the formula, I (c)mAnd I (c)nRespectively representing an attack node, Co (I (c))m) And Co (I (c)n) Respectively represent and I (c)mAnd I (c)nAssociated attack node, A (I (c))m) And A (I (c)n) Respectively represent I (c)mAnd I (c)nProperty of (2), A (I (c))m)∪A(I(c)n) Is represented by the formula I (c)mAnd I (c)nThere are different numbers of attributes between.
CN202010185737.0A 2020-03-17 2020-03-17 APT detection method based on network alarm information Pending CN111464507A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010185737.0A CN111464507A (en) 2020-03-17 2020-03-17 APT detection method based on network alarm information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010185737.0A CN111464507A (en) 2020-03-17 2020-03-17 APT detection method based on network alarm information

Publications (1)

Publication Number Publication Date
CN111464507A true CN111464507A (en) 2020-07-28

Family

ID=71680765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010185737.0A Pending CN111464507A (en) 2020-03-17 2020-03-17 APT detection method based on network alarm information

Country Status (1)

Country Link
CN (1) CN111464507A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111741021A (en) * 2020-08-03 2020-10-02 北京翼鸥教育科技有限公司 Detection and protection system for CC attack access service cluster
CN114189360A (en) * 2021-11-19 2022-03-15 上海纽盾科技股份有限公司 Situation-aware network vulnerability defense method, device and system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
CN107888607A (en) * 2017-11-28 2018-04-06 新华三技术有限公司 A kind of Cyberthreat detection method, device and network management device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
CN107888607A (en) * 2017-11-28 2018-04-06 新华三技术有限公司 A kind of Cyberthreat detection method, device and network management device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
XIANG CHENG ET AL: "Correlate the Advanced Persistent Threat Alerts and Logs for Cyber Situation Comprehension", 《SPRINGER》 *
XIANG CHENG ET AL: "Cyber Situation Comprehension for IoT Systems based on APT Alerts and Logs Correlation", 《MDPI》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111741021A (en) * 2020-08-03 2020-10-02 北京翼鸥教育科技有限公司 Detection and protection system for CC attack access service cluster
CN114189360A (en) * 2021-11-19 2022-03-15 上海纽盾科技股份有限公司 Situation-aware network vulnerability defense method, device and system
CN114189360B (en) * 2021-11-19 2023-09-29 上海纽盾科技股份有限公司 Situation-aware network vulnerability defense method, device and system

Similar Documents

Publication Publication Date Title
CN110505241B (en) Network attack plane detection method and system
CN111614627B (en) SDN-oriented cross-plane cooperation DDOS detection and defense method and system
EP3507960B1 (en) Clustering approach for detecting ddos botnets on the cloud from ipfix data
CN112953924A (en) Network abnormal flow detection method, system, storage medium, terminal and application
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
CN108390869B (en) Vehicle-mounted intelligent gateway device integrating deep learning and command sequence detection method thereof
CN111581397A (en) Network attack tracing method, device and equipment based on knowledge graph
CN111464507A (en) APT detection method based on network alarm information
CN107222511A (en) Detection method and device, computer installation and the readable storage medium storing program for executing of Malware
CN113064932A (en) Network situation assessment method based on data mining
CN111224984B (en) Snort improvement method based on data mining algorithm
CN113821793A (en) Multi-stage attack scene construction method and system based on graph convolution neural network
CN113704252A (en) Rule engine decision tree implementation method and device, computer equipment and computer readable storage medium
CN111258798A (en) Fault positioning method and device for monitoring data, computer equipment and storage medium
CN112422513A (en) Anomaly detection and attack initiator analysis system based on network traffic message
CN112671932B (en) Data processing method based on big data and cloud computing node
CN112446341A (en) Alarm event identification method, system, electronic equipment and storage medium
CN112070161A (en) Network attack event classification method, device, terminal and storage medium
CN103746991B (en) Safety case investigation method and system in system for cloud computing
CN114943083A (en) Intelligent terminal vulnerability code sample mining method and device and electronic equipment
CN111064724B (en) Network intrusion detection system based on RBF neural network
CN117834236B (en) Intelligent substation network attack detection method and device based on GOOSE flow characteristics
CN112446812A (en) Block chain based government affair information automatic pushing method and terminal
KR101003502B1 (en) Signature String clustering Method Based on the Resemblance and Containment in the Sequence
CN117834236A (en) Intelligent substation network attack detection method and device based on GOOSE flow characteristics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200728

RJ01 Rejection of invention patent application after publication