CN111641589A - Advanced sustainable threat detection method, system, computer and storage medium - Google Patents

Advanced sustainable threat detection method, system, computer and storage medium Download PDF

Info

Publication number
CN111641589A
CN111641589A CN202010360373.5A CN202010360373A CN111641589A CN 111641589 A CN111641589 A CN 111641589A CN 202010360373 A CN202010360373 A CN 202010360373A CN 111641589 A CN111641589 A CN 111641589A
Authority
CN
China
Prior art keywords
file
traffic
files
backbone network
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010360373.5A
Other languages
Chinese (zh)
Inventor
王悦
李伟
鲁银冰
蒋熠
智绪龙
刘乐
田毅
赵雪昆
谢锋林
胡声秋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sino Telecom Technology Co inc
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
China Mobile Group Zhejiang Co Ltd
Original Assignee
Sino Telecom Technology Co inc
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
China Mobile Group Zhejiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sino Telecom Technology Co inc, China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd, China Mobile Group Zhejiang Co Ltd filed Critical Sino Telecom Technology Co inc
Priority to CN202010360373.5A priority Critical patent/CN111641589A/en
Publication of CN111641589A publication Critical patent/CN111641589A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种高级可持续威胁检测方法、系统、计算机及存储介质,上述检测方法包括:对运营商的骨干网的流量进行分析并还原骨干网中传输的文件;对骨干网中的流量进行过滤,以将正常流量和文件过滤掉;对过滤后的文件进行检测;对骨干网中的入侵攻击流量进行检测;对检测的结果进行处理,对相应的入侵攻击流量进行拦截封堵;对所检测出来的攻击进行日志记录;对记录的日志进行展示,以供后续高级可持续威胁攻击的取证及溯源。上述方法可以多方位对高级可持续威胁(Advanced Persistent Threat,简称APT)攻击进行检测,为运营商对APT检测提供有力的数据支撑并提供详实的溯源信息、同时可以对网络攻击进行阻断,保障用户的利益。

Figure 202010360373

The invention discloses an advanced sustainable threat detection method, system, computer and storage medium. The detection method includes: analyzing the traffic of an operator's backbone network and restoring files transmitted in the backbone network; Perform filtering to filter out normal traffic and files; detect the filtered files; detect intrusion attack traffic in the backbone network; process the detection results, and intercept and block the corresponding intrusion attack traffic; The detected attacks are recorded in logs; the recorded logs are displayed for evidence collection and source tracing of subsequent advanced sustainable threat attacks. The above method can detect Advanced Persistent Threat (APT) attacks in multiple directions, provide operators with strong data support for APT detection and provide detailed traceability information, and at the same time can block network attacks to ensure interests of users.

Figure 202010360373

Description

高级可持续威胁检测方法、系统、计算机以及存储介质Advanced sustainable threat detection method, system, computer, and storage medium

技术领域technical field

本发明实施例涉及计算机网络安全技术,尤其涉及一种高级可持续威胁检测方法、系统、计算机及存储介质。Embodiments of the present invention relate to computer network security technologies, and in particular, to an advanced sustainable threat detection method, system, computer and storage medium.

背景技术Background technique

高级持续性威胁(Advanced Persistent Threat,简称ATP)攻击通常是渗透到网络内部后长期蛰伏,利用组织内部人员作为攻击跳板,不断尝试各种攻击手段,不断收集各种信息,直到收集到重要情报。APT攻击的意图是窃取数据,而不是对网络造成损害。Advanced Persistent Threat (ATP) attacks are usually dormant for a long time after infiltrating the inside of the network, using the personnel inside the organization as an attack springboard, constantly trying various attack methods, and constantly collecting various information until important intelligence is collected. The intent of APT attacks is to steal data, not to cause damage to the network.

目前,针对APT的防护一般是在局域网网络出口的网关处对流量、行为或者文件进行检测,一般需要网络防火墙具备此相关的功能。而运营商作为网络的关键节点,对于网络中的APT攻击全然不知,同时,如果网络中发生此类现象,后续运营商对网络中的攻击也无法做到阻断、溯源,也无法找出网络攻击的真凶。At present, the protection against APT is generally to detect traffic, behaviors or files at the gateway of the LAN network exit, and generally requires the network firewall to have this related function. As the key node of the network, the operator is completely unaware of the APT attack in the network. At the same time, if such a phenomenon occurs in the network, the subsequent operator cannot block, trace the source of the attack in the network, and cannot find the network. The real culprit of the attack.

发明内容SUMMARY OF THE INVENTION

基于此,针对上述技术问题,本发明提供一种高级可持续威胁检测方法、系统、计算机及存储介质,可以通过对骨干网的流量监测来溯源网络中的APT攻击,找出网络攻击真凶。Based on this, in view of the above technical problems, the present invention provides an advanced sustainable threat detection method, system, computer and storage medium, which can trace the APT attack in the source network by monitoring the traffic of the backbone network and find out the real culprit of the network attack.

第一方面,本发明实施例提供了一种高级可持续威胁检测方法,包括:In a first aspect, an embodiment of the present invention provides an advanced sustainable threat detection method, including:

对运营商的骨干网的流量进行分析并还原骨干网中传输的文件;Analyze the traffic of the operator's backbone network and restore the files transmitted in the backbone network;

对骨干网中的流量进行过滤,以将正常流量和文件过滤掉;Filter the traffic in the backbone network to filter out normal traffic and files;

对过滤后的文件进行检测;Check the filtered files;

对骨干网中的入侵攻击流量进行检测;Detect the intrusion attack traffic in the backbone network;

对检测的结果进行处理,对相应的入侵攻击流量进行拦截封堵;The detection results are processed, and the corresponding intrusion attack traffic is intercepted and blocked;

对所检测出来的攻击进行日志记录;Log the detected attacks;

对记录的日志进行展示,以供后续高级可持续威胁攻击的取证及溯源。The recorded logs are displayed for evidence collection and source tracing of subsequent advanced sustainable threat attacks.

上述高级可持续威胁检测方法,可以多方位对APT攻击进行检测,为运营商对APT检测提供有力的数据支撑并提供详实的溯源信息、同时可以对网络攻击进行阻断,保障用户的利益。The above-mentioned advanced sustainable threat detection method can detect APT attacks in multiple directions, provide operators with strong data support for APT detection and provide detailed traceability information, and at the same time can block network attacks to protect the interests of users.

在其中一个实施例中,所述对骨干网中的流量进行过滤,以将正常流量和文件过滤掉的步骤包括:In one embodiment, the step of filtering traffic in the backbone network to filter out normal traffic and files includes:

获取正常流量和文件的识别信息;Obtain identification information of normal traffic and files;

根据bloom filter算法生成所述识别信息的映射库;Generate the mapping library of the identification information according to the bloom filter algorithm;

使用所述映射库与流量进行匹配,将包含正常识别信息的流量过滤掉。The mapping library is used to match the traffic, and the traffic containing the normal identification information is filtered out.

在其中一个实施例中,所述识别信息包括IP信息、URL信息、DNS信息以及MD5信息中的至少一种。In one embodiment, the identification information includes at least one of IP information, URL information, DNS information and MD5 information.

在其中一个实施例中,所述对过滤后的文件进行检测的步骤包括:In one of the embodiments, the step of detecting the filtered file includes:

初始化扫描引擎库;Initialize the scan engine library;

创建扫描引擎;Create a scan engine;

加载病毒库;Load virus database;

编译扫描引擎;Compile the scan engine;

初始化文件监控并监控过滤后的文件路径;Initialize file monitoring and monitor filtered file paths;

将所述文件路径中新写入的文件加入到监控队列中;adding the newly written file in the file path to the monitoring queue;

采用hyperscan的方式对所述监控队列中的文件进行扫描。The files in the monitoring queue are scanned by means of hyperscan.

在其中一个实施例中,所述对骨干网中的入侵攻击流量进行检测的步骤包括:In one embodiment, the step of detecting the intrusion attack traffic in the backbone network includes:

加载入侵检测规则库;Load the intrusion detection rule base;

编译入侵检测规则,建立规则映射关系;Compile intrusion detection rules and establish rule mapping relationships;

采用hyperscan的方式扫描流量并输出扫描结果。Use hyperscan to scan traffic and output scan results.

第二方面,本发明实施例还提供了一种高级可持续威胁检测系统,包括:In a second aspect, an embodiment of the present invention also provides an advanced sustainable threat detection system, including:

分析还原模块,用于对运营商的骨干网的流量进行分析并还原骨干网中传输的文件;The analysis and restoration module is used to analyze the traffic of the operator's backbone network and restore the files transmitted in the backbone network;

信息过滤模块,用于对骨干网中的流量进行过滤,以将正常流量和文件过滤掉;The information filtering module is used to filter the traffic in the backbone network to filter out the normal traffic and files;

文件检测模块,用于对所述信息过滤模块过滤后的文件进行检测;a file detection module for detecting the files filtered by the information filtering module;

攻击检测模块,用于对骨干网中的入侵攻击流量进行检测;The attack detection module is used to detect the intrusion attack traffic in the backbone network;

拦截封堵模块,用于对所述文件检测模块和所述攻击检测模块检测的结果进行处理,对相应的入侵攻击流量进行拦截封堵;an interception and blocking module, configured to process the detection results of the file detection module and the attack detection module, and to intercept and block the corresponding intrusion attack traffic;

日志记录模块,用于对所检测出来的攻击进行日志记录;The logging module is used to log the detected attacks;

日志展示模块,用于对记录的日志进行展示,供后续高级可持续威胁攻击的取证及溯源。The log display module is used to display the recorded logs for subsequent evidence collection and traceability of advanced sustainable threat attacks.

上述高级可持续威胁检测系统,可以多方位对APT攻击进行检测,为运营商对APT检测提供有力的数据支撑并提供详实的溯源信息、同时可以对网络攻击进行阻断,保障用户的利益。The above-mentioned advanced sustainable threat detection system can detect APT attacks in multiple directions, provide operators with strong data support for APT detection and provide detailed traceability information, and can block network attacks to protect the interests of users.

在其中一个实施例中,所述分析还原模块具备运营商级别的处理能力,采用dpdk开发套件完成网络流量处理。In one embodiment, the analysis and restoration module has operator-level processing capabilities, and uses a dpdk development kit to complete network traffic processing.

在其中一个实施例中,述文件检测模块采用多线程模型,其中,一个线程监控生成文件的路径并实时写入监控队列,其余线程实时从所述监控队列中获取文件进行扫描。In one embodiment, the file detection module adopts a multi-thread model, wherein one thread monitors the path for generating the file and writes it to the monitoring queue in real time, and the other threads acquire files from the monitoring queue in real time for scanning.

第三方面,本发明实施例还提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如权上述的高级可持续威胁检测方法。In a third aspect, an embodiment of the present invention further provides a computer device, including a memory, a processor, and a computer program stored in the memory and running on the processor, the processor implementing the above-mentioned program when executing the program advanced sustainable threat detection methods.

第四方面,本发明实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如上述的高级可持续威胁检测方法。In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the above-mentioned advanced sustainable threat detection method.

附图说明Description of drawings

图1为一个实施例中高级可持续威胁检测方法的流程示意图;1 is a schematic flowchart of an advanced sustainable threat detection method in one embodiment;

图2为一个实施例中步骤对骨干网中的流量进行过滤,以将正常流量和文件过滤掉的流程示意图;2 is a schematic flowchart of steps in an embodiment of filtering the traffic in the backbone network to filter out normal traffic and files;

图3为一个实施例中步骤对过滤后的文件进行检测的流程示意图;Fig. 3 is a schematic flow chart of the step of detecting the filtered file in one embodiment;

图4为一个实施例中步骤对骨干网中的入侵攻击流量进行检测的流程示意图;4 is a schematic flowchart of steps in an embodiment of detecting intrusion attack traffic in a backbone network;

图5为一个实施例中高级可持续威胁检测系统的架构示意图。FIG. 5 is a schematic diagram of the architecture of an advanced persistent threat detection system in one embodiment.

具体实施方式Detailed ways

下面结合附图和实施例对本发明作进一步的详细说明。可以理解的是,此处所描述的具体实施例仅仅用于解释本发明,而非对本发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与本发明相关的部分而非全部结构。The present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention. In addition, it should be noted that, for the convenience of description, the drawings only show some but not all structures related to the present invention.

图1为一个实施例中高级可持续威胁检测方法的流程示意图,如图1所示,在一个实施例中,本发明申请的实施例用于网络安全设备,一种高级可持续威胁检测方法包括如下步骤:FIG. 1 is a schematic flowchart of an advanced sustainable threat detection method in an embodiment. As shown in FIG. 1 , in an embodiment, the embodiment of the present application is used for a network security device, and an advanced sustainable threat detection method includes: Follow the steps below:

步骤110:对运营商的骨干网的流量进行分析并还原骨干网中传输的文件。Step 110: Analyze the traffic of the operator's backbone network and restore the files transmitted in the backbone network.

具体地,设备端接收的骨干网的网络流量后,需要对网络流量进行第一步分析,还原网络中传输文件,从而得到待后续检测的相关信息,该相关信息具体可以根据流量中文件的种类确定。Specifically, after the network traffic of the backbone network received by the device, the first step of analyzing the network traffic is required to restore the files transmitted in the network, so as to obtain relevant information to be detected later. Sure.

步骤S120:对骨干网中的流量进行过滤,以将正常流量和文件过滤掉。Step S120: Filter the traffic in the backbone network to filter out normal traffic and files.

具体地,在对骨干网络的流量进行分析还原后,根据得到的检测相关信息对流量和文件进行对比查询,对比查询具体可以采用bloom filter完成,经过对比查询后可以将运营商中的可信流量和文件都过滤掉,之后再对剩余的可疑流量和文件进行检测。由于后续就不再对可信的流量和文件进行检测,可以极大的减少了后续检测处理的数据量,提升设备的处理性能。Specifically, after analyzing and restoring the traffic of the backbone network, compare and query the traffic and files according to the obtained detection-related information, and the comparison query can be completed by using a bloom filter. and files are filtered out, and then the remaining suspicious traffic and files are detected. Since the trusted traffic and files are no longer detected in the future, the amount of data for subsequent detection and processing can be greatly reduced, and the processing performance of the device can be improved.

步骤S130:对过滤后的文件进行检测。Step S130: Detect the filtered file.

具体地,对过滤后的可疑文件进行检测,一般在网络中传输的文件可能包含各种形式,例如可执行程序exe文件、压缩文件rar/zip/gz以及加壳文件等,可以将这些文件依次进行分类,然后执行解压缩或者去壳等动作。最终再使用hyperscan扫描方式对文件进行扫描得到扫描结果。根据扫描结果对攻击文件进行标记,否则不标记。Specifically, the filtered suspicious files are detected. Generally, the files transmitted in the network may contain various forms, such as executable program exe files, compressed files rar/zip/gz and packed files, etc. These files can be sequentially Classify, and then perform actions such as decompression or unpacking. Finally, use the hyperscan scanning method to scan the file to obtain the scanning result. The attack file is marked according to the scanning result, otherwise it is not marked.

步骤S140:对骨干网中的入侵攻击流量进行检测。Step S140: Detect intrusion attack traffic in the backbone network.

具体地,除可疑文件外,还需要对对过滤后的可疑流量进行检测,具体可以使用使用hyperscan扫描方式对流量包中的特征进行扫描并得到扫描结果。并根据扫描结果对入侵攻击流量进行标记,否则不标记Specifically, in addition to suspicious files, it is also necessary to detect the filtered suspicious traffic. Specifically, the hyperscan scanning method can be used to scan the characteristics in the traffic packets and obtain the scanning results. And mark the intrusion attack traffic according to the scan results, otherwise it will not be marked

步骤S150:对检测的结果进行处理,对相应的入侵攻击流量进行拦截封堵。Step S150: Process the detection result, and intercept and block the corresponding intrusion attack traffic.

具体地,对检测后标记的高级可持续威胁攻击的流量和文件进行拦截封堵,以保证本地设备的网络安全。Specifically, intercept and block the traffic and files of the advanced persistent threat attack marked after detection to ensure the network security of the local device.

步骤S160:对所检测出来的攻击进行日志记录。Step S160: Log the detected attack.

具体地,拦截后还需要对标记的数据流进行日志输出处理,写入日志数据库。记录的日志信息包括但不限于时间、日志级别、源地址、目的地址、协议类型、事件名称、事件类型、病毒名称、文件名、APT组织、国家等信息。Specifically, after interception, it is also necessary to perform log output processing on the marked data stream and write it into the log database. The log information recorded includes but is not limited to time, log level, source address, destination address, protocol type, event name, event type, virus name, file name, APT organization, country and other information.

步骤S170:对记录的日志进行展示,以供后续高级可持续威胁攻击的取证及溯源。Step S170 : Display the recorded logs for subsequent evidence collection and source tracing of advanced sustainable threat attacks.

具体地,在web端,可以从数据库中读取日志记录中的拦截封堵信息,从而之后可以根据拦截封堵信息对相同或相似的高级可持续威胁攻击进行预防,持续提高网络的安全性。Specifically, on the web side, the interception and blocking information in the log records can be read from the database, so that the same or similar advanced sustainable threat attacks can be prevented based on the blocking and blocking information, and the network security can be continuously improved.

上述高级可持续威胁检测方法,可以多方位对APT攻击进行检测,为运营商对APT检测提供有力的数据支撑并提供详实的溯源信息、同时可以对网络攻击进行阻断,保障用户的利益。The above-mentioned advanced sustainable threat detection method can detect APT attacks in multiple directions, provide operators with strong data support for APT detection and provide detailed traceability information, and at the same time can block network attacks to protect the interests of users.

图2为一个实施例中上述步骤对骨干网中的流量进行过滤,以将正常流量和文件过滤掉的流程示意图,如图2所示,本实施例中步骤S120具体可以包括:FIG. 2 is a schematic flowchart of the above steps in an embodiment of filtering traffic in a backbone network to filter out normal traffic and files. As shown in FIG. 2 , step S120 in this embodiment may specifically include:

步骤S121:获取正常流量和文件的识别信息。Step S121: Acquire identification information of normal traffic and files.

步骤S122:根据bloom filter算法生成正常识别信息的映射库。Step S122: Generate a mapping library of normal identification information according to the bloom filter algorithm.

步骤S123:使用映射库与流量进行匹配,将包含正常识别信息的流量过滤掉。Step S123: Use the mapping library to match the traffic, and filter out the traffic containing normal identification information.

具体地,首先获取正常流量和文件的识别信息,在一个优选的实施例中,上述识别信息包括IP信息、URL信息、DNS信息以及MD5信息中的至少一种。例如流量中为DNS报文,则主要获取DNS报文的DNS信息;如果流量中是HTTP报文,则主要获取其URL字段信息;如果流量中是其他普通报文,则主要获取其IP信息;如果报文是文件,则对文件进行还原并记录对应的MD5信息。在获取收集得到正常信息的IP、URL、DNS以及MD5信息后,可以根据bloomfilter算法生成IP、URL、DNS以及MD5信息的映射库,使用映射库和骨干网中的流量进行匹配,将包含正常的IP、URL、DNS、yijiMD5信息的流量过滤掉,仅剩余可疑的流量和文件。Specifically, first obtain identification information of normal traffic and files. In a preferred embodiment, the identification information includes at least one of IP information, URL information, DNS information, and MD5 information. For example, if the traffic is DNS packets, the DNS information of the DNS packets is mainly obtained; if the traffic is HTTP packets, the URL field information is mainly obtained; if the traffic is other ordinary packets, the IP information is mainly obtained; If the message is a file, restore the file and record the corresponding MD5 information. After obtaining the IP, URL, DNS and MD5 information of the collected normal information, the mapping library of IP, URL, DNS and MD5 information can be generated according to the bloomfilter algorithm, and the mapping library is used to match the traffic in the backbone network, which will contain the normal information. The traffic of IP, URL, DNS, and yijiMD5 information is filtered out, and only suspicious traffic and files remain.

图3为上述实施例中步骤对过滤后的文件进行检测的流程示意图,如图3所示,本实施例中的步骤S130具体可以包括:FIG. 3 is a schematic flowchart of the steps in the foregoing embodiment for detecting the filtered files. As shown in FIG. 3 , step S130 in this embodiment may specifically include:

步骤S131:初始化扫描引擎库;Step S131: initialize the scan engine library;

步骤S132:创建扫描引擎;Step S132: create a scan engine;

步骤S133:加载病毒库;Step S133: load the virus database;

步骤S134:编译扫描引擎;Step S134: compiling the scan engine;

步骤S135:初始化文件监控并监控过滤后的文件路径;Step S135: Initialize file monitoring and monitor the filtered file path;

步骤S136:将文件路径中新写入的文件加入到监控队列中;Step S136: adding the newly written file in the file path to the monitoring queue;

步骤S137:采用hyperscan的方式对监控队列中的文件进行扫描。Step S137: Scan the files in the monitoring queue in a hyperscan manner.

具体地,由于现有的文件检测方法对于文件的扫描性能上有比较大的缺陷,为了实现高性能的文件检测,可以采用了多线程的方式来实现,监控文件和扫描文件进行线程区分,同时采用hyperscan的扫描方式来实现病毒扫描。主进程首先初始化扫描引擎库,用于后面文件扫描接口调用,加载病毒库并编译扫描引擎,。初始化文件监控并监控过滤后的文件路径,主要对IN_CLOSE_WRITE的文件属性进行监控。创建监控线程,并绑定到某一CPU线程,该线程主要将新写入的文件加入到监控队列中,然后创建文件扫描线程,并绑定到其他CPU线程,该线程的数量可以根据实际情况确定,均用于处理文件扫描,扫描原理可以采用hyperscan的方式,进一步提升性能,从监控队列中获取文件逐个进行扫描并输出扫描结果。Specifically, since the existing file detection method has a relatively large defect in the scanning performance of the file, in order to achieve high-performance file detection, a multi-threading method can be used to realize the thread distinction between the monitoring file and the scanning file, and at the same time Use hyperscan scanning to achieve virus scanning. The main process first initializes the scan engine library for subsequent file scanning interface calls, loads the virus library and compiles the scan engine. Initialize file monitoring and monitor the filtered file path, mainly monitor the file attributes of IN_CLOSE_WRITE. Create a monitoring thread and bind it to a CPU thread. This thread mainly adds the newly written file to the monitoring queue, and then creates a file scanning thread and binds it to other CPU threads. The number of the threads can be based on the actual situation. OK, both are used to process file scanning. The scanning principle can use the hyperscan method to further improve performance, obtain files from the monitoring queue, scan them one by one, and output the scan results.

图4为上述实施例中步骤对骨干网中的入侵攻击流量进行检测的流程示意图,如图4所示,本实施例中的步骤S140具体可以包括:FIG. 4 is a schematic flowchart of the steps in the foregoing embodiment for detecting intrusion attack traffic in the backbone network. As shown in FIG. 4 , step S140 in this embodiment may specifically include:

步骤S141:加载入侵检测规则库;Step S141: load the intrusion detection rule base;

步骤S142:编译入侵检测规则,建立规则映射关系;Step S142: compiling intrusion detection rules, and establishing a rule mapping relationship;

步骤S143:采用hyperscan的方式扫描流量并输出扫描结果。Step S143: Scan the traffic in a hyperscan manner and output the scan result.

具体地,由于现有的入侵检测方法在性能上也有比较大的缺陷,为了能实现高性能的入侵检测,可以采用hyperscan扫描方式代替现在流行的AC/BM的方式。Specifically, since the existing intrusion detection methods also have relatively large defects in performance, in order to achieve high-performance intrusion detection, the hyperscan scanning method can be used instead of the currently popular AC/BM method.

图5为一个实施例中高级可持续威胁检测系统的结构示意图,如图5所示,在一个实施例中,一种高级可持续威胁检测系统300包括:FIG. 5 is a schematic structural diagram of an advanced persistent threat detection system in an embodiment. As shown in FIG. 5 , in an embodiment, an advanced persistent threat detection system 300 includes:

分析还原模块310,用于对运营商的骨干网的流量进行分析并还原骨干网中传输的文件;信息过滤模块320,用于对骨干网中的流量进行过滤,以将正常流量和文件过滤掉;文件检测模块330,用于对信息过滤模块320过滤后的文件进行检测;攻击检测模块340,用于对骨干网中的入侵攻击流量进行检测;拦截封堵模块350,用于对文件检测模块330和攻击检测模块350检测的结果进行处理,对相应的入侵攻击流量进行拦截封堵;日志记录模块360,用于对所检测出来的攻击进行日志记录;日志展示模块370,用于对记录的日志进行展示,供后续高级可持续威胁攻击的取证及溯源。The analysis and restoration module 310 is used to analyze the traffic of the operator's backbone network and restore the files transmitted in the backbone network; the information filtering module 320 is used to filter the traffic in the backbone network to filter out normal traffic and files. The file detection module 330 is used to detect the files filtered by the information filtering module 320; the attack detection module 340 is used to detect the intrusion attack traffic in the backbone network; the interception block module 350 is used to detect the file 330 and the result detected by the attack detection module 350 are processed, and the corresponding intrusion attack traffic is intercepted and blocked; the log recording module 360 is used to log the detected attacks; the log display module 370 is used to record the recorded attacks. The logs are displayed for the forensics and source tracing of subsequent advanced sustainable threat attacks.

具体地,分析还原模块310接收骨干网的网络流量并对其进行分析,还原网络中传输文件,以得到待后续模块检测的相关信息,并将相关信息发送给信息过滤模块320。在一个优选的实施例中,分析还原模块310具备运营商级别的处理能力,采用dpdk开发套件完成网络流量处理。信息过滤模块320可以通过正常流量的识别信息映射库对对所接收的流量进行过滤,识别信息具体可以包括IP信息、URL信息、DNS信息以及MD5信息,将正常识别信息的流量和文件过滤掉,将可疑的文件和流量分别发送至文件检测模块330和攻击检测模块340。Specifically, the analysis and restoration module 310 receives and analyzes the network traffic of the backbone network, restores the files transmitted in the network to obtain relevant information to be detected by subsequent modules, and sends the relevant information to the information filtering module 320 . In a preferred embodiment, the analysis and restoration module 310 has operator-level processing capabilities, and uses a dpdk development kit to complete network traffic processing. The information filtering module 320 can filter the received traffic through the identification information mapping library of normal traffic, and the identification information can specifically include IP information, URL information, DNS information and MD5 information, and filter out the traffic and files of the normal identification information, Suspicious files and traffic are sent to the file detection module 330 and the attack detection module 340, respectively.

文件检测模块330和攻击检测模块340分别对所接收的可疑文件和流量进行检测,具体的检测方式可以根据实际情况确定,例如可以通过使用hyperscan对文件以及流量包进行扫描。在一个优选的实施例中,文件检测模块340采用多线程模型,其中,一个线程监控生成文件的路径并实时写入监控队列,其余线程实时从监控队列中获取文件进行扫描,从而可以有效提升检测效率。在对文件和流量进行检测后,文件检测模块330和攻击检测模块340将检测结果发送至拦截封堵模块350。The file detection module 330 and the attack detection module 340 respectively detect the received suspicious files and traffic. The specific detection method can be determined according to the actual situation. For example, hyperscan can be used to scan files and traffic packets. In a preferred embodiment, the file detection module 340 adopts a multi-threading model, wherein one thread monitors the path for generating the file and writes it to the monitoring queue in real time, and the other threads acquire files from the monitoring queue in real time for scanning, so that the detection can be effectively improved. efficiency. After the files and traffic are detected, the file detection module 330 and the attack detection module 340 send the detection results to the interception and blocking module 350 .

拦截封堵模块350根据接受的检测对相应的高级可持续威胁攻击的文件和流量进行拦截封堵,并将拦截封堵信息发送至日志记录模块360。日志记录模块360将拦截封堵信息记录为日志信息并写入数据库,该日志信息具体可以包括时间、日志级别、源地址、目的地址、协议类型、事件名称、事件类型、病毒名称、文件名、APT组织、国家等。日志展示模块370可以从日志记录模块360的数据库中读取拦截封堵的日志信息并进行展示,从而之后可以据此对相同或相似的高级可持续威胁攻击进行预防,持续提高网络的安全性。The interception and blocking module 350 intercepts and blocks the corresponding files and traffic of the advanced persistent threat attack according to the accepted detection, and sends the interception and blocking information to the logging module 360 . The logging module 360 records the interception and blocking information as log information and writes it into the database. The log information may specifically include time, log level, source address, destination address, protocol type, event name, event type, virus name, file name, APT organizations, countries, etc. The log display module 370 can read the intercepted and blocked log information from the database of the log recording module 360 and display it, so as to prevent the same or similar advanced sustainable threat attacks and continuously improve the security of the network.

上述高级可持续威胁检测系统300,可以多方位对APT攻击进行检测,为运营商对APT检测提供有力的数据支撑并提供详实的溯源信息、同时可以对网络攻击进行阻断,保障用户的利益。The above-mentioned advanced sustainable threat detection system 300 can detect APT attacks in multiple directions, provide strong data support for operators to APT detection and provide detailed traceability information, and can block network attacks at the same time to protect the interests of users.

可以理解的是,本发明实施例所提供的高级可持续威胁检测系统可执行本发明任意实施例所提供的高级可持续威胁检测方法,具备执行方法相应的功能模块和有益效果。上述实施例中高级可持续威胁检测系统所包括的各个单元和模块只是按照功能逻辑进行划分的,但并不局限于上述实施例的划分,只要能够实现相应的功能即可;另外,各功能单元的具体名称也只是为了便于相互区分,并不用于限制本发明的保护范围。It can be understood that the advanced sustainable threat detection system provided by the embodiment of the present invention can execute the advanced sustainable threat detection method provided by any embodiment of the present invention, and has corresponding functional modules and beneficial effects of the execution method. The units and modules included in the advanced sustainable threat detection system in the above embodiment are only divided according to functional logic, but are not limited to the division in the above embodiment, as long as the corresponding functions can be realized; in addition, each functional unit The specific names are only for the convenience of distinguishing from each other, and are not used to limit the protection scope of the present invention.

在一个实施例中,提供一种计算机设备,包括存储器、处理器及存储在存储器上并可以在处理器上运行的计算机程序。处理器在运行该程序时可以执行如下步骤:对运营商的骨干网的流量进行分析并还原骨干网中传输的文件;对骨干网中的流量进行过滤,以将正常流量和文件过滤掉;对过滤后的文件进行检测;对骨干网中的入侵攻击流量进行检测;对检测的结果进行处理,对相应的入侵攻击流量进行拦截封堵;对所检测出来的攻击进行日志记录;对记录的日志进行展示,以供后续高级可持续威胁攻击的取证及溯源。In one embodiment, a computer apparatus is provided that includes a memory, a processor, and a computer program stored on the memory and executable on the processor. When running the program, the processor can perform the following steps: analyze the traffic of the operator's backbone network and restore the files transmitted in the backbone network; filter the traffic in the backbone network to filter out normal traffic and files; Detect the filtered files; detect the intrusion attack traffic in the backbone network; process the detection results, intercept and block the corresponding intrusion attack traffic; log the detected attacks; record the recorded logs Display it for forensics and traceability of subsequent advanced persistent threat attacks.

可以理解的是,本发明实施例所提供的一种计算机设备,其处理器执行存储在存储器上的程序不限于如上所述的方法操作,还可以执行本发明任意实施例所提供的高级可持续威胁检测方法中的相关操作。It can be understood that, in the computer device provided by the embodiments of the present invention, the execution of the program stored in the memory by the processor of the computer is not limited to the above-mentioned method operations, and can also execute the high-level sustainable operation provided by any embodiment of the present invention. Related actions in the threat detection method.

进一步地,上述计算机中处理器的数量可以是一个或多个,处理器与存储器可以通过总线或其他方式连接。存储器可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端的使用所创建的数据等。此外,存储器可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。在一些实例中,存储器可进一步包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至设备/终端/服务器。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。Further, the number of processors in the above computer may be one or more, and the processors and the memory may be connected by a bus or in other ways. The memory may mainly include a stored program area and a stored data area, wherein the stored program area may store an operating system and an application program required for at least one function; the stored data area may store data created according to the use of the terminal, and the like. Additionally, the memory may include high speed random access memory, and may also include nonvolatile memory, such as at least one magnetic disk storage device, flash memory device, or other nonvolatile solid state storage device. In some instances, the memory may further include memory located remotely from the processor, and these remote memories may be connected to the device/terminal/server through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

在一个实施例中,本发明还提供一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时可以使得处理器执行如下步骤:对骨干网中的流量进行过滤,以将正常流量和文件过滤掉;对过滤后的文件进行检测;对骨干网中的入侵攻击流量进行检测;对检测的结果进行处理,对相应的入侵攻击流量进行拦截封堵;对所检测出来的攻击进行日志记录;对记录的日志进行展示,以供后续高级可持续威胁攻击的取证及溯源。In one embodiment, the present invention also provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by the processor, the processor can cause the processor to perform the following steps: to filter the normal traffic and files; to detect the filtered files; to detect the intrusion attack traffic in the backbone network; to process the detection results, and to intercept and block the corresponding intrusion attack traffic ; Log the detected attacks; display the recorded logs for evidence collection and source tracing of subsequent advanced sustainable threat attacks.

可以理解的是,本发明实施例所提供的一种包含计算机程序的计算机可读存储介质,其计算机可执行的程序不限于如上所述的方法操作,还可以执行本发明任意实施例所提供的高级可持续威胁检测方法中的相关操作。It can be understood that, for a computer-readable storage medium containing a computer program provided by the embodiments of the present invention, the computer-executable program of the computer-executable program is not limited to the above-mentioned method operations, and can also execute the methods provided by any embodiment of the present invention. Related actions in advanced sustainable threat detection methods.

通过以上关于实施方式的描述,所属领域的技术人员可以清楚地了解到,本发明可借助软件及必需的通用硬件来实现,当然也可以通过硬件实现,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如计算机的软盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(RandomAccess Memory,RAM)、闪存(FLASH)、硬盘或光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例中所述的方法。From the above description of the embodiments, those skilled in the art can clearly understand that the present invention can be realized by software and necessary general-purpose hardware, and of course can also be realized by hardware, but in many cases the former is a better embodiment . Based on such understanding, the technical solutions of the present invention can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in a computer-readable storage medium, such as a floppy disk of a computer , read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), flash memory (FLASH), hard disk or optical disk, etc., including several instructions to make a computer device (which can be a personal computer, A server, or a network device, etc.) executes the methods described in the various embodiments of the present invention.

以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above-described embodiments can be combined arbitrarily. For the sake of brevity, all possible combinations of the technical features in the above-described embodiments are not described. However, as long as there is no contradiction between the combinations of these technical features, All should be regarded as the scope described in this specification.

以上所述实施例仅表达了本发明的较佳实施例及所运用技术原理,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。对本领域技术人员来说能够进行各种明显的变化、重新调整和替代而不会脱离本发明的保护范围。因此,虽然通过以上实施例对本发明进行了较为详细的说明,但是本发明不仅仅限于以上实施例,在不脱离本发明构思的情况下,还可以包括更多其他等效实施例,而本发明专利的保护范围由所附的权利要求范围决定。The above-mentioned embodiments only represent the preferred embodiments of the present invention and the applied technical principles, and the descriptions thereof are specific and detailed, but should not be construed as limiting the scope of the invention patent. Various obvious changes, readjustments and substitutions can be made by those skilled in the art without departing from the protection scope of the present invention. Therefore, although the present invention has been described in detail through the above embodiments, the present invention is not limited to the above embodiments, and can also include more other equivalent embodiments without departing from the concept of the present invention. The scope of protection of a patent is determined by the scope of the appended claims.

Claims (10)

1. An advanced sustainable threat detection method, comprising:
analyzing the flow of a backbone network of an operator and restoring files transmitted in the backbone network;
filtering the flow in the backbone network to filter out normal flow and files;
detecting the filtered file;
detecting intrusion attack flow in a backbone network;
processing the detection result, and intercepting and plugging the corresponding intrusion attack flow;
logging the detected attacks;
and displaying the recorded log for evidence obtaining and tracing of subsequent high-level sustainable threat attack.
2. The method of claim 1, wherein the step of filtering traffic in the backbone network to filter out normal traffic and files comprises:
acquiring identification information of normal flow and files;
generating a mapping library of the identification information according to a bloom filter algorithm;
and matching the mapping library with the flow, and filtering the flow containing the normal identification information.
3. The method of claim 2, wherein the identification information comprises at least one of IP information, URL information, DNS information, and MD5 information.
4. The method of claim 1, wherein the step of detecting the filtered file comprises:
initializing a scanning engine library;
creating a scanning engine;
loading a virus library;
compiling a scanning engine;
initializing file monitoring and monitoring a filtered file path;
adding the newly written file in the file path into a monitoring queue;
and scanning the files in the monitoring queue in a hyperscan mode.
5. The method of claim 1, wherein the step of detecting intrusion attack traffic in the backbone network comprises:
loading an intrusion detection rule base;
compiling an intrusion detection rule and establishing a rule mapping relation;
and scanning the flow in a hyperscan mode and outputting a scanning result.
6. An advanced sustainable threat detection system, comprising:
the analysis and restoration module is used for analyzing the flow of the backbone network of the operator and restoring the files transmitted in the backbone network;
the information filtering module is used for filtering the flow in the backbone network so as to filter the normal flow and files;
the file detection module is used for detecting the file filtered by the information filtering module;
the attack detection module is used for detecting the intrusion attack flow in the backbone network;
the interception and blocking module is used for processing the detection results of the file detection module and the attack detection module and intercepting and blocking corresponding invasion attack flow;
the log recording module is used for carrying out log recording on the detected attack;
and the log display module is used for displaying the recorded logs for evidence obtaining and source tracing of subsequent high-level sustainable threat attacks.
7. The advanced sustainable threat detection system of claim 6, wherein the analytics recovery module has carrier-level processing capabilities and uses a dpdk development kit to perform network traffic processing.
8. The advanced sustainable threat detection system of claim 6, wherein the file detection module employs a multi-thread model, wherein one thread monitors a path of a generated file and writes the path into a monitoring queue in real time, and the remaining threads retrieve the file from the monitoring queue in real time for scanning.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the advanced sustainable threat detection method according to any one of claims 1 to 5 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the advanced sustainable threat detection method as claimed in any one of claims 1 to 5.
CN202010360373.5A 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium Pending CN111641589A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010360373.5A CN111641589A (en) 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010360373.5A CN111641589A (en) 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium

Publications (1)

Publication Number Publication Date
CN111641589A true CN111641589A (en) 2020-09-08

Family

ID=72331908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010360373.5A Pending CN111641589A (en) 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium

Country Status (1)

Country Link
CN (1) CN111641589A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112560020A (en) * 2021-02-19 2021-03-26 鹏城实验室 Threat attack detection method, device, terminal equipment and storage medium
CN113612779A (en) * 2021-08-05 2021-11-05 杭州中尔网络科技有限公司 Advanced sustainable attack behavior detection method based on flow information
CN114153799A (en) * 2021-11-19 2022-03-08 杭州安恒信息技术股份有限公司 File reduction threat identification method, system, computer and readable storage medium
CN116074066A (en) * 2022-12-29 2023-05-05 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information
CN117729029A (en) * 2023-12-20 2024-03-19 北京江民新科技术有限公司 A network file protection method, system, equipment and storage medium
CN117997612A (en) * 2024-01-31 2024-05-07 江西省海博信息科技有限公司 Data encryption transmission method and system for preventing advanced persistent threat attack

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN105260662A (en) * 2014-07-17 2016-01-20 南京曼安信息科技有限公司 Detection device and method of unknown application bug threat
CN109167754A (en) * 2018-07-26 2019-01-08 北京计算机技术及应用研究所 A kind of network application layer security protection system
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN110674499A (en) * 2019-08-27 2020-01-10 成都网思科平科技有限公司 Method, device and storage medium for identifying computer threat

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN105260662A (en) * 2014-07-17 2016-01-20 南京曼安信息科技有限公司 Detection device and method of unknown application bug threat
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN109167754A (en) * 2018-07-26 2019-01-08 北京计算机技术及应用研究所 A kind of network application layer security protection system
CN110674499A (en) * 2019-08-27 2020-01-10 成都网思科平科技有限公司 Method, device and storage medium for identifying computer threat

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112560020A (en) * 2021-02-19 2021-03-26 鹏城实验室 Threat attack detection method, device, terminal equipment and storage medium
CN113612779A (en) * 2021-08-05 2021-11-05 杭州中尔网络科技有限公司 Advanced sustainable attack behavior detection method based on flow information
CN114153799A (en) * 2021-11-19 2022-03-08 杭州安恒信息技术股份有限公司 File reduction threat identification method, system, computer and readable storage medium
CN116074066A (en) * 2022-12-29 2023-05-05 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information
CN116074066B (en) * 2022-12-29 2023-07-07 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information
CN117729029A (en) * 2023-12-20 2024-03-19 北京江民新科技术有限公司 A network file protection method, system, equipment and storage medium
CN117997612A (en) * 2024-01-31 2024-05-07 江西省海博信息科技有限公司 Data encryption transmission method and system for preventing advanced persistent threat attack

Similar Documents

Publication Publication Date Title
CN111641589A (en) Advanced sustainable threat detection method, system, computer and storage medium
TWI396995B (en) Method and system for cleaning malicious software and computer program product and storage medium
RU2485577C1 (en) Method of increasing reliability of detecting malicious software
CN106650436B (en) A security detection method and device based on local area network
US20210243216A1 (en) Penetration tests of systems under test
Cappers et al. Eventpad: Rapid malware analysis and reverse engineering using visual analytics
WO2015120752A1 (en) Method and device for handling network threats
JP2019506674A5 (en)
US11909761B2 (en) Mitigating malware impact by utilizing sandbox insights
CN114117432A (en) APT attack chain restoration system based on data tracing graph
CN116451215A (en) Correlation analysis method and related equipment
Liu et al. Loocipher ransomware detection using lightweight packet characteristics
CN117150488A (en) Ground-leaving attack detection method and system based on time sequence analysis and memory evidence obtaining
Riadi et al. Forensic analysis of Docker Swarm cluster using GRR Rapid Response framework
Bhardwaj et al. Enhanced neural network-based attack investigation framework for network forensics: Identification, detection, and analysis of the attack
Najafi et al. Nlp-based entity behavior analytics for malware detection
Al-Sofyani et al. A survey of malware forensics analysis techniques and tools
CN117896162A (en) A dynamic threat detection and tracing method, device, equipment and storage medium
Zipperle et al. A conceptual framework for automated rule generation in provenance-based intrusion detection systems
CN114301689B (en) Campus network security protection method and device, computing equipment and storage medium
CN113704770B (en) Vulnerability verification method, device, equipment and medium
CN111886594A (en) Malicious process tracking
CN115499169A (en) Multi-stage attack process reconstruction method based on causal graph
CN116170186A (en) Attack code online detection method and device based on network traffic analysis
Su et al. Understanding the influence of graph Kernels on deep learning architecture: a case study of flow-based network attack detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200908