CN111641589A - Advanced sustainable threat detection method, system, computer and storage medium - Google Patents

Advanced sustainable threat detection method, system, computer and storage medium Download PDF

Info

Publication number
CN111641589A
CN111641589A CN202010360373.5A CN202010360373A CN111641589A CN 111641589 A CN111641589 A CN 111641589A CN 202010360373 A CN202010360373 A CN 202010360373A CN 111641589 A CN111641589 A CN 111641589A
Authority
CN
China
Prior art keywords
flow
file
attack
backbone network
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010360373.5A
Other languages
Chinese (zh)
Inventor
王悦
李伟
鲁银冰
蒋熠
智绪龙
刘乐
田毅
赵雪昆
谢锋林
胡声秋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sino Telecom Technology Co inc
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
China Mobile Group Zhejiang Co Ltd
Original Assignee
Sino Telecom Technology Co inc
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
China Mobile Group Zhejiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sino Telecom Technology Co inc, China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd, China Mobile Group Zhejiang Co Ltd filed Critical Sino Telecom Technology Co inc
Priority to CN202010360373.5A priority Critical patent/CN111641589A/en
Publication of CN111641589A publication Critical patent/CN111641589A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a high-level sustainable threat detection method, a system, a computer and a storage medium, wherein the detection method comprises the following steps: analyzing the flow of a backbone network of an operator and restoring files transmitted in the backbone network; filtering the flow in the backbone network to filter out normal flow and files; detecting the filtered file; detecting intrusion attack flow in a backbone network; processing the detection result, and intercepting and plugging the corresponding intrusion attack flow; logging the detected attacks; and displaying the recorded log for evidence obtaining and tracing of subsequent high-level sustainable threat attack. The method can detect Advanced Persistent Thread (APT) attack in multiple directions, provides powerful data support for APT detection by operators, provides detailed traceability information, can block network attack, and guarantees benefits of users.

Description

Advanced sustainable threat detection method, system, computer and storage medium
Technical Field
The embodiment of the invention relates to a computer network security technology, in particular to a high-level sustainable threat detection method, a system, a computer and a storage medium.
Background
Advanced Persistent Threat (ATP) attacks usually take the form of long-term hibernation after penetrating into the inside of a network, and use personnel inside an organization as an attack springboard to continuously try various attack means and continuously collect various information until important information is collected. The intent of an APT attack is to steal data rather than cause damage to the network.
Currently, protection against APT generally detects traffic, behavior, or files at a gateway at an exit of a lan network, and generally requires a network firewall to have the related function. The operator is used as a key node of the network, and is completely unknown about the APT attack in the network, and meanwhile, if the phenomenon occurs in the network, the follow-up operator cannot block and trace the attack in the network, and cannot find out the truth of the network attack.
Disclosure of Invention
Based on the above technical problem, the present invention provides a method, a system, a computer and a storage medium for detecting a high-level sustainable threat, which can trace the APT attack in the source network by monitoring the traffic of the backbone network, and find out the truth of the network attack.
In a first aspect, an embodiment of the present invention provides an advanced sustainable threat detection method, including:
analyzing the flow of a backbone network of an operator and restoring files transmitted in the backbone network;
filtering the flow in the backbone network to filter out normal flow and files;
detecting the filtered file;
detecting intrusion attack flow in a backbone network;
processing the detection result, and intercepting and plugging the corresponding intrusion attack flow;
logging the detected attacks;
and displaying the recorded log for evidence obtaining and tracing of subsequent high-level sustainable threat attack.
The advanced sustainable threat detection method can detect APT attacks in multiple directions, provides powerful data support for APT detection for operators, provides detailed traceability information, can block network attacks, and guarantees benefits of users.
In one embodiment, the step of filtering traffic in the backbone network to filter out normal traffic and files includes:
acquiring identification information of normal flow and files;
generating a mapping library of the identification information according to a bloom filter algorithm;
and matching the mapping library with the flow, and filtering the flow containing the normal identification information.
In one embodiment, the identification information includes at least one of IP information, URL information, DNS information, and MD5 information.
In one embodiment, the step of detecting the filtered file includes:
initializing a scanning engine library;
creating a scanning engine;
loading a virus library;
compiling a scanning engine;
initializing file monitoring and monitoring a filtered file path;
adding the newly written file in the file path into a monitoring queue;
and scanning the files in the monitoring queue in a hyperscan mode.
In one embodiment, the step of detecting intrusion attack traffic in the backbone network includes:
loading an intrusion detection rule base;
compiling an intrusion detection rule and establishing a rule mapping relation;
and scanning the flow in a hyperscan mode and outputting a scanning result.
In a second aspect, an embodiment of the present invention further provides an advanced sustainable threat detection system, including:
the analysis and restoration module is used for analyzing the flow of the backbone network of the operator and restoring the files transmitted in the backbone network;
the information filtering module is used for filtering the flow in the backbone network so as to filter the normal flow and files;
the file detection module is used for detecting the file filtered by the information filtering module;
the attack detection module is used for detecting the intrusion attack flow in the backbone network;
the interception and blocking module is used for processing the detection results of the file detection module and the attack detection module and intercepting and blocking corresponding invasion attack flow;
the log recording module is used for carrying out log recording on the detected attack;
and the log display module is used for displaying the recorded logs for evidence obtaining and source tracing of subsequent high-level sustainable threat attacks.
The advanced sustainable threat detection system can detect APT attacks in multiple directions, provides powerful data support for APT detection for operators, provides detailed traceability information, can block network attacks, and guarantees benefits of users.
In one embodiment, the analysis and restoration module has a carrier-level processing capability, and network traffic processing is completed by adopting a dpdk development kit.
In one embodiment, the file detection module adopts a multi-thread model, wherein one thread monitors a path of a generated file and writes the path into a monitoring queue in real time, and the other threads acquire the file from the monitoring queue in real time to scan.
In a third aspect, an embodiment of the present invention further provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the method for detecting high-level sustainable threats as described above.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the advanced sustainable threat detection method as described above.
Drawings
FIG. 1 is a schematic flow diagram of an advanced sustainable threat detection method in one embodiment;
FIG. 2 is a flow diagram illustrating steps in one embodiment for filtering traffic in a backbone network to filter out normal traffic and files;
FIG. 3 is a flow diagram that illustrates steps performed in one embodiment to detect filtered documents;
FIG. 4 is a flow diagram illustrating steps in an embodiment for detecting intrusion attack traffic in a backbone network;
FIG. 5 is an architectural diagram of an advanced sustainable threat detection system, in one embodiment.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Fig. 1 is a schematic flow diagram of an advanced sustainable threat detection method in an embodiment, as shown in fig. 1, in an embodiment, the embodiment of the present invention is applied to a network security device, and the advanced sustainable threat detection method includes the following steps:
step 110: analyzing the flow of the backbone network of the operator and restoring the files transmitted in the backbone network.
Specifically, after receiving the network traffic of the backbone network, the device side needs to perform a first-step analysis on the network traffic to restore the transmission files in the network, so as to obtain the relevant information to be subsequently detected, and the relevant information can be specifically determined according to the types of the files in the traffic.
Step S120: and filtering the traffic in the backbone network to filter out normal traffic and files.
Specifically, after analyzing and restoring the traffic of the backbone network, comparing and querying the traffic and the files according to the obtained detection related information, wherein the comparison and querying can be specifically completed by using bloom filters, trusted traffic and files in an operator can be filtered after the comparison and querying, and then the remaining suspicious traffic and files are detected. Because credible flow and files are not detected any more subsequently, the data volume of subsequent detection processing can be greatly reduced, and the processing performance of the equipment is improved.
Step S130: and detecting the filtered file.
In particular, for the detection of the filtered suspicious files, the files generally transmitted in the network may contain various forms, such as executable program exe files, compressed files rar/zip/gz, and shell files, and these files may be classified in turn and then decompressed or shelled. And finally, scanning the file by using a hyperscan scanning mode to obtain a scanning result. And marking the attack file according to the scanning result, otherwise, not marking.
Step S140: intrusion attack traffic in the backbone network is detected.
Specifically, besides the suspicious file, the filtered suspicious traffic needs to be detected, and specifically, a hyperscan scanning mode may be used to scan the features in the traffic packet and obtain the scanning result. And marking the invasion attack flow according to the scanning result, otherwise not marking
Step S150: and processing the detection result, and intercepting and plugging the corresponding intrusion attack flow.
Specifically, the marked high-level sustainable threat attack traffic and files after detection are intercepted and blocked, so that the network security of the local equipment is ensured.
Step S160: logging the detected attacks.
Specifically, after interception, log output processing needs to be performed on the marked data stream, and the marked data stream is written into a log database. The logged information includes, but is not limited to, time, log level, source address, destination address, protocol type, event name, event type, virus name, file name, APT organization, country, etc.
Step S170: and displaying the recorded log for evidence obtaining and tracing of subsequent high-level sustainable threat attack.
Specifically, at the web end, the interception blocking information in the log record can be read from the database, so that the same or similar advanced sustainable threat attack can be prevented according to the interception blocking information, and the network security can be continuously improved.
The advanced sustainable threat detection method can detect APT attacks in multiple directions, provides powerful data support for APT detection for operators, provides detailed traceability information, can block network attacks, and guarantees benefits of users.
Fig. 2 is a schematic flow chart illustrating the steps of filtering traffic in the backbone network to filter out normal traffic and files in one embodiment, as shown in fig. 2, the step S120 in this embodiment may specifically include:
step S121: and acquiring the identification information of the normal flow and the file.
Step S122: and generating a mapping library of the normal identification information according to the bloom filter algorithm.
Step S123: and matching the mapping library with the traffic, and filtering the traffic containing the normal identification information.
Specifically, identification information of normal traffic and files is first acquired, and in a preferred embodiment, the identification information includes at least one of IP information, URL information, DNS information, and MD5 information. For example, if the flow is a DNS message, DNS information of the DNS message is mainly acquired; if the traffic is HTTP message, mainly acquiring URL field information of the traffic; if the flow is other common messages, the IP information of the common messages is mainly acquired; if the message is a file, the file is restored and the corresponding MD5 information is recorded. After the collected IP, URL, DNS and MD5 information of the normal information is obtained, a mapping library of the IP, URL, DNS and MD5 information can be generated according to a bloomfilter algorithm, the traffic in the mapping library and the traffic in a backbone network are used for matching, the traffic containing the normal IP, URL, DNS and yijiMD5 information is filtered out, and only suspicious traffic and files are left.
Fig. 3 is a schematic flow chart of detecting the filtered file in the foregoing embodiment, and as shown in fig. 3, step S130 in this embodiment may specifically include:
step S131: initializing a scanning engine library;
step S132: creating a scanning engine;
step S133: loading a virus library;
step S134: compiling a scanning engine;
step S135: initializing file monitoring and monitoring a filtered file path;
step S136: adding the newly written file in the file path into a monitoring queue;
step S137: and scanning the files in the monitoring queue in a hyperscan mode.
Specifically, because the existing file detection method has a large defect in the scanning performance of the file, in order to realize high-performance file detection, a multithreading mode can be adopted to realize, the monitoring file and the scanning file are subjected to thread distinguishing, and a hyperscan scanning mode is adopted to realize virus scanning. The main process first initializes the scan engine library for later file scan interface calls, loads the virus library and compiles the scan engine. Initializing file monitoring and monitoring the filtered file path, and mainly monitoring the file attribute of IN _ CLOSE _ WRITE. And creating a monitoring thread and binding the monitoring thread to a certain CPU thread, wherein the thread mainly adds a newly written file into a monitoring queue, then creates a file scanning thread and binds the file scanning thread to other CPU threads, the number of the threads can be determined according to actual conditions and is all used for processing file scanning, the scanning principle can adopt a hyperscan mode, the performance is further improved, the files are obtained from the monitoring queue to be scanned one by one, and scanning results are output.
Fig. 4 is a schematic flow chart of the steps in the foregoing embodiment for detecting intrusion attack traffic in the backbone network, and as shown in fig. 4, the step S140 in this embodiment may specifically include:
step S141: loading an intrusion detection rule base;
step S142: compiling an intrusion detection rule and establishing a rule mapping relation;
step S143: and scanning the flow in a hyperscan mode and outputting a scanning result.
Specifically, because the existing intrusion detection method has a relatively large defect in performance, in order to realize high-performance intrusion detection, a hyperscan scanning mode can be adopted to replace the currently popular AC/BM mode.
FIG. 5 is a block diagram of an advanced sustainable threat detection system in one embodiment, and as shown in FIG. 5, in one embodiment, an advanced sustainable threat detection system 300 includes:
an analysis and restoration module 310, configured to analyze traffic of a backbone network of an operator and restore files transmitted in the backbone network; the information filtering module 320 is configured to filter traffic in the backbone network to filter normal traffic and files; the file detection module 330 is configured to detect the file filtered by the information filtering module 320; an attack detection module 340, configured to detect intrusion attack traffic in the backbone network; the interception and blocking module 350 is configured to process results detected by the file detection module 330 and the attack detection module 350, and intercept and block corresponding intrusion attack traffic; a log recording module 360, configured to perform log recording on the detected attack; and the log display module 370 is used for displaying the recorded logs for evidence obtaining and source tracing of subsequent high-level sustainable threat attacks.
Specifically, the analysis and restoration module 310 receives and analyzes the network traffic of the backbone network, restores the transmission files in the network to obtain the relevant information to be detected by the subsequent modules, and sends the relevant information to the information filtering module 320. In a preferred embodiment, the analysis and restoration module 310 has a carrier-level processing capability, and uses a dpdk development kit to complete network traffic processing. The information filtering module 320 may filter the received traffic through an identification information mapping library of the normal traffic, where the identification information may specifically include IP information, URL information, DNS information, and MD5 information, filter the traffic and the file of the normal identification information, and send the suspicious file and the traffic to the file detecting module 330 and the attack detecting module 340, respectively.
The file detection module 330 and the attack detection module 340 respectively detect the received suspicious file and the received traffic, and a specific detection mode may be determined according to an actual situation, for example, the file and the traffic package may be scanned by using hyperscan. In a preferred embodiment, the file detection module 340 employs a multi-thread model, wherein one thread monitors a path of a generated file and writes the path into a monitoring queue in real time, and the other threads acquire the file from the monitoring queue in real time to scan, so that the detection efficiency can be effectively improved. After detecting the files and the traffic, the file detection module 330 and the attack detection module 340 send the detection results to the interception blocking module 350.
The interception and blocking module 350 intercepts and blocks the corresponding advanced sustainable threat attack file and flow according to the received detection, and sends the interception and blocking information to the log recording module 360. The log recording module 360 records the interception blocking information as log information, and writes the log information into a database, where the log information may specifically include time, log level, source address, destination address, protocol type, event name, event type, virus name, file name, APT organization, country, and the like. The log display module 370 can read and display the intercepted and blocked log information from the database of the log recording module 360, so that the same or similar advanced sustainable threat attacks can be prevented accordingly, and the network security can be continuously improved.
The advanced sustainable threat detection system 300 can detect the APT attack in multiple directions, provide powerful data support for the operator to detect the APT, provide detailed traceability information, and simultaneously block the network attack, thereby ensuring the benefits of the user.
It can be understood that the advanced sustainable threat detection system provided by the embodiment of the present invention may execute the advanced sustainable threat detection method provided by any embodiment of the present invention, and has corresponding functional modules and beneficial effects of the execution method. The units and modules included in the advanced sustainable threat detection system in the above embodiment are only divided according to functional logic, but are not limited to the division in the above embodiment as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
In one embodiment, a computer device is provided that includes a memory, a processor, and a computer program stored on the memory and executable on the processor. The processor, when running the program, may perform the steps of: analyzing the flow of a backbone network of an operator and restoring files transmitted in the backbone network; filtering the flow in the backbone network to filter out normal flow and files; detecting the filtered file; detecting intrusion attack flow in a backbone network; processing the detection result, and intercepting and plugging the corresponding intrusion attack flow; logging the detected attacks; and displaying the recorded log for evidence obtaining and tracing of subsequent high-level sustainable threat attack.
It is to be understood that the computer device provided by the embodiments of the present invention, the processor of which executes the program stored in the memory, is not limited to the method operations described above, and may also execute the relevant operations in the advanced sustainable threat detection method provided by any embodiments of the present invention.
Further, the number of processors in the computer may be one or more, and the processors and the memory may be connected by a bus or other means. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory may further include memory located remotely from the processor, which may be connected to the device/terminal/server via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
In one embodiment, the present invention also provides a computer readable storage medium having a computer program stored thereon, which when executed by a processor, causes the processor to perform the steps of: filtering the flow in the backbone network to filter out normal flow and files; detecting the filtered file; detecting intrusion attack flow in a backbone network; processing the detection result, and intercepting and plugging the corresponding intrusion attack flow; logging the detected attacks; and displaying the recorded log for evidence obtaining and tracing of subsequent high-level sustainable threat attack.
It is to be understood that the computer-readable storage medium containing the computer program according to the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the advanced sustainable threat detection method according to any embodiments of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods described in the embodiments of the present invention.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above embodiments only represent the preferred embodiments of the present invention and the applied technical principles, and the description thereof is specific and detailed, but not construed as limiting the scope of the invention. Numerous variations, changes and substitutions will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in more detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. An advanced sustainable threat detection method, comprising:
analyzing the flow of a backbone network of an operator and restoring files transmitted in the backbone network;
filtering the flow in the backbone network to filter out normal flow and files;
detecting the filtered file;
detecting intrusion attack flow in a backbone network;
processing the detection result, and intercepting and plugging the corresponding intrusion attack flow;
logging the detected attacks;
and displaying the recorded log for evidence obtaining and tracing of subsequent high-level sustainable threat attack.
2. The method of claim 1, wherein the step of filtering traffic in the backbone network to filter out normal traffic and files comprises:
acquiring identification information of normal flow and files;
generating a mapping library of the identification information according to a bloom filter algorithm;
and matching the mapping library with the flow, and filtering the flow containing the normal identification information.
3. The method of claim 2, wherein the identification information comprises at least one of IP information, URL information, DNS information, and MD5 information.
4. The method of claim 1, wherein the step of detecting the filtered file comprises:
initializing a scanning engine library;
creating a scanning engine;
loading a virus library;
compiling a scanning engine;
initializing file monitoring and monitoring a filtered file path;
adding the newly written file in the file path into a monitoring queue;
and scanning the files in the monitoring queue in a hyperscan mode.
5. The method of claim 1, wherein the step of detecting intrusion attack traffic in the backbone network comprises:
loading an intrusion detection rule base;
compiling an intrusion detection rule and establishing a rule mapping relation;
and scanning the flow in a hyperscan mode and outputting a scanning result.
6. An advanced sustainable threat detection system, comprising:
the analysis and restoration module is used for analyzing the flow of the backbone network of the operator and restoring the files transmitted in the backbone network;
the information filtering module is used for filtering the flow in the backbone network so as to filter the normal flow and files;
the file detection module is used for detecting the file filtered by the information filtering module;
the attack detection module is used for detecting the intrusion attack flow in the backbone network;
the interception and blocking module is used for processing the detection results of the file detection module and the attack detection module and intercepting and blocking corresponding invasion attack flow;
the log recording module is used for carrying out log recording on the detected attack;
and the log display module is used for displaying the recorded logs for evidence obtaining and source tracing of subsequent high-level sustainable threat attacks.
7. The advanced sustainable threat detection system of claim 6, wherein the analytics recovery module has carrier-level processing capabilities and uses a dpdk development kit to perform network traffic processing.
8. The advanced sustainable threat detection system of claim 6, wherein the file detection module employs a multi-thread model, wherein one thread monitors a path of a generated file and writes the path into a monitoring queue in real time, and the remaining threads retrieve the file from the monitoring queue in real time for scanning.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the advanced sustainable threat detection method according to any one of claims 1 to 5 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the advanced sustainable threat detection method as claimed in any one of claims 1 to 5.
CN202010360373.5A 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium Pending CN111641589A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010360373.5A CN111641589A (en) 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010360373.5A CN111641589A (en) 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium

Publications (1)

Publication Number Publication Date
CN111641589A true CN111641589A (en) 2020-09-08

Family

ID=72331908

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010360373.5A Pending CN111641589A (en) 2020-04-30 2020-04-30 Advanced sustainable threat detection method, system, computer and storage medium

Country Status (1)

Country Link
CN (1) CN111641589A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112560020A (en) * 2021-02-19 2021-03-26 鹏城实验室 Threat attack detection method, device, terminal equipment and storage medium
CN113612779A (en) * 2021-08-05 2021-11-05 杭州中尔网络科技有限公司 Advanced sustainable attack behavior detection method based on flow information
CN116074066A (en) * 2022-12-29 2023-05-05 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN105260662A (en) * 2014-07-17 2016-01-20 南京曼安信息科技有限公司 Detection device and method of unknown application bug threat
CN109167754A (en) * 2018-07-26 2019-01-08 北京计算机技术及应用研究所 A kind of network application layer security protection system
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN110674499A (en) * 2019-08-27 2020-01-10 成都网思科平科技有限公司 Method, device and storage medium for identifying computer threat

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN105260662A (en) * 2014-07-17 2016-01-20 南京曼安信息科技有限公司 Detection device and method of unknown application bug threat
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN109167754A (en) * 2018-07-26 2019-01-08 北京计算机技术及应用研究所 A kind of network application layer security protection system
CN110674499A (en) * 2019-08-27 2020-01-10 成都网思科平科技有限公司 Method, device and storage medium for identifying computer threat

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112560020A (en) * 2021-02-19 2021-03-26 鹏城实验室 Threat attack detection method, device, terminal equipment and storage medium
CN113612779A (en) * 2021-08-05 2021-11-05 杭州中尔网络科技有限公司 Advanced sustainable attack behavior detection method based on flow information
CN116074066A (en) * 2022-12-29 2023-05-05 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information
CN116074066B (en) * 2022-12-29 2023-07-07 广西南宁英福泰科信息科技有限公司 Intelligent monitoring blocking method and system for retrieval threat information

Similar Documents

Publication Publication Date Title
WO2015120752A1 (en) Method and device for handling network threats
US11647037B2 (en) Penetration tests of systems under test
TWI396995B (en) Method and system for cleaning malicious software and computer program product and storage medium
CN111641589A (en) Advanced sustainable threat detection method, system, computer and storage medium
US20160134503A1 (en) Performance enhancements for finding top traffic patterns
US10440035B2 (en) Identifying malicious communication channels in network traffic by generating data based on adaptive sampling
US11909761B2 (en) Mitigating malware impact by utilizing sandbox insights
Kaushik et al. Network forensic system for port scanning attack
US9479521B2 (en) Software network behavior analysis and identification system
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
US20160205118A1 (en) Cyber black box system and method thereof
KR20110088042A (en) Apparatus and method for automatically discriminating malicious code
CN112217777A (en) Attack backtracking method and equipment
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
Liu et al. Loocipher ransomware detection using lightweight packet characteristics
Fatemi et al. Threat hunting in windows using big security log data
CN112769635B (en) Service identification method and device for multi-granularity feature analysis
CN112287340B (en) Evidence obtaining and tracing method and device for terminal attack and computer equipment
CN116170186A (en) Attack code online detection method and device based on network traffic analysis
US20230315848A1 (en) Forensic analysis on consistent system footprints
Al-Sofyani et al. A Survey of Malware Forensics Analysis Techniques and Tools
Su et al. Understanding the influence of graph Kernels on deep learning architecture: a case study of flow-based network attack detection
CN109255243B (en) Method, system, device and storage medium for repairing potential threats in terminal
CN110784471A (en) Blacklist collection management method and device, computer equipment and storage medium
CN114301689B (en) Campus network security protection method and device, computing equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200908

RJ01 Rejection of invention patent application after publication