CN111641951A - 5G network APT attack tracing method and system based on SA architecture - Google Patents
5G network APT attack tracing method and system based on SA architecture Download PDFInfo
- Publication number
- CN111641951A CN111641951A CN202010360640.9A CN202010360640A CN111641951A CN 111641951 A CN111641951 A CN 111641951A CN 202010360640 A CN202010360640 A CN 202010360640A CN 111641951 A CN111641951 A CN 111641951A
- Authority
- CN
- China
- Prior art keywords
- data
- characteristic
- matched
- information table
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000001514 detection method Methods 0.000 claims abstract description 78
- 238000012545 processing Methods 0.000 claims abstract description 19
- 230000011664 signaling Effects 0.000 claims description 10
- 230000003068 static effect Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000005206 flow analysis Methods 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 230000006399 behavior Effects 0.000 description 25
- 238000004458 analytical method Methods 0.000 description 14
- 238000010801 machine learning Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000012300 Sequence Analysis Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 230000004992 fission Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a 5G network APT attack tracing method based on an SA architecture, which is characterized by comprising the following steps: forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established based on the keyword and matched with the warning data; acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data; when the detection data is matched with a preset state, inquiring the information table, and acquiring keywords matched with the information table according to the information table; and tracing the source characteristic data matched with the keywords according to the keywords.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a 5G network APT attack tracing method and system based on an SA architecture.
Background
The fifth generation mobile communication system (5G) is an important driving force for realizing the key information infrastructure of the interconnection of everything and the digital transformation of the economic society as an important direction for the evolution and the upgrade of the new generation information communication technology. According to IDC prediction, by 2025, the number of global Internet of things devices reaches 416 hundred million. Industrial internet, car networking, smart grid, smart city, military network etc. will all frame the fission development on 5G network. The 5G technology can be used for building an intelligent world with all things interconnected for people, people and things interconnected and people and things interconnected. The 5G provides richer services and better user experience for users at higher speed, higher capacity and lower cost, and brings more security challenges, the faced security threats are wider and more complex, and the continuous development of new technologies such as cloud computing, artificial intelligence, big data, Internet of things to block chains breaks the boundary of the previous security, various malicious attacks are more rampant, and the network security threats are ubiquitous. Advanced Persistent Threat (APT for short) is an attack mode that can bypass various traditional security detection and protection measures and opportunistically steal core data and various kinds of information of a network information system through modes of meticulous disguise, fixed point attack, long-term latency, continuous penetration and the like. The principle of the APT attack is more advanced and advanced relative to other attack forms, and the advanced nature is mainly reflected in that the APT needs to accurately collect information on the business process and the target system of an attack object before starting the attack. In the intelligence gathering process, an attacker can actively mine the vulnerabilities of the trusted systems and applications of the attacked objects, and a C & C network required by the attacker is formed on the basis of the vulnerabilities, and the actions do not take any action which can trigger the traditional security equipment alarm or cause suspicion, so that the system or the program merged into the attacker is more close. With the access of various devices of a 5G network, the APT attack under a mobile network can also show explosive growth, the traditional APT detection system generally aims at a fixed network, the tracing is limited to IP dimension, and the timeliness and the accuracy of the tracing cannot be effectively ensured; at present, 5G is already in commercial use, a large amount of 5G deployment is already deployed on the global scale, 5G networking of an NSA architecture is a transition scheme from 4G to 5G, and 5G networking of an SA architecture is a necessary trend in the future, so that the research on an APT attack traceability system of a 5G network based on the SA architecture is imperative and significant.
Disclosure of Invention
The invention aims to provide a 5G network APT attack tracing method and system based on an SA architecture, so as to solve the problems of APT attack detection and tracing under the current 5G network environment.
In one aspect, the present invention provides a 5G network APT attack tracing method based on an SA architecture, wherein the method includes:
forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established based on the keyword and matched with the warning data;
acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data;
when the detection data is matched with a preset state, inquiring the information table, and acquiring keywords matched with the information table according to the information table;
and tracing the source characteristic data matched with the keywords according to the keywords.
Preferably, the above-mentioned method for tracing 5G network APT attack based on SA framework includes forming a keyword according to the source feature data and the tunnel information, and storing an information table that is established based on the keyword and matches the alert data:
acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
acquiring source characteristic data according to the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data;
and forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information.
Preferably, the above-mentioned 5G network APT attack tracing method based on SA architecture, wherein,
forming an alert data according to the source feature data, the address data matched with the source feature data, and the tunnel information specifically includes:
acquiring key data matched with the source characteristic data and address data matched with the source characteristic data according to the source characteristic data;
and forming the warning data according to the key data, the address data and the tunnel information.
Preferably, the above-mentioned method for tracing 5G network APT attack based on SA framework includes obtaining third feature interface traffic data, and analyzing and processing the third feature interface traffic data into detection data specifically includes
Acquiring third characteristic interface flow data, and performing decapsulation processing on the third characteristic interface flow data to form user flow data;
and analyzing, counting and restoring the user traffic data to form the detection data.
Preferably, the above-mentioned method for tracing 5G network APT attack based on SA framework, wherein querying the information table when the detected data matches a preset state, and obtaining a keyword matched with the information table according to the information table specifically includes:
performing static detection and dynamic detection on the detection data, and judging whether the detection data has an attack behavior;
judging that the detection data is matched with a preset state when the detection data has an attack behavior;
and inquiring the information table, and acquiring the keywords matched with the information table according to the information table.
On the other hand, the invention discloses a 5G network APT attack tracing system based on an SA architecture, wherein: at least comprises an APT early warning unit which comprises,
the user information storage module is used for forming a keyword according to the source characteristic data and the tunnel information and storing an information table which is established based on the keyword and matched with the warning data;
the information acquisition module is used for acquiring third characteristic interface flow data and analyzing and processing the third characteristic interface flow data into detection data;
the judging module is used for inquiring the information table when the detection data is matched with a preset state, and acquiring keywords matched with the information table according to the information table;
and the source tracing module traces the source characteristic data matched with the keywords according to the keywords.
Preferably, the above 5G network APT attack tracing system based on the SA architecture further includes a signaling analysis unit interacting with the APT early warning unit, where the signaling analysis unit includes:
the flow acquisition module is used for acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
the information flow analysis module is used for acquiring source characteristic data according to the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data;
and the information packaging module is used for forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information.
Preferably, the above-mentioned 5G network APT attack tracing system based on SA framework includes the information collection module specifically
The third flow receiver is used for acquiring third characteristic interface flow data and decapsulating the third characteristic interface flow data to form user flow data;
and the processing module is used for analyzing, counting and restoring the user flow data to form the detection data.
Preferably, the above-mentioned 5G network APT attack tracing system based on SA framework, wherein the determining module includes:
the source tracing detector is used for performing static detection and dynamic detection on the detection data and judging whether the detection data has an attack behavior;
the APT judger is used for judging that the detection data is matched with a preset state when the detection data has an attack behavior;
and the source tracing inquirer is used for inquiring the information table and acquiring the keywords matched with the information table according to the information table.
In another aspect, the present invention further provides a computer-readable storage medium, which stores a computer program, where the computer program, when executed by a processor, implements any one of the foregoing 5G network APT attack tracing methods based on the SA framework.
Compared with the prior art, the invention has the beneficial effects that:
the invention can effectively detect APT attack under the 5G network, can trace the source quickly, can prevent threats in time and better protect the safety of data; under the 5G network, a terminal must have signaling messages such as a registration request, a service request and the like when accessing the network, the terminal must already access the network when initiating an attack, at the moment, a signaling analysis platform already sends terminal user information to an APT detection platform, and the user information is registered and registered at an operator website, so that the tracing is real and effective; the APT attack event is detected at the first time, and the attacker information can be quickly traced according to the attack source IP without performing other additional correlation query. The attack source is associated with the specific user through the signaling surface, when the attack occurs, the specific individual can be positioned, and meanwhile, the position information of the attack initiator can be accurately determined.
Drawings
Fig. 1 is a diagram illustrating a point acquisition at the 5G core network side of the system according to an embodiment of the present invention;
fig. 2 is a structural diagram of a 5G network APT attack tracing system based on an SA framework according to an embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, the illustrated embodiments are provided to illustrate the invention and not to limit the scope of the invention.
Example one
As shown in fig. 1, the present invention provides a 5G network APT attack tracing method based on SA architecture, wherein the method includes:
step S10, forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established based on the keyword and matched with the warning data;
step S20, third feature interface flow data is obtained and analyzed and processed into detection data; and the third characteristic interface receives the third characteristic interface flow data in a DPDK mode. The method specifically comprises the following steps:
step S201, acquiring third characteristic interface flow data, and performing decapsulation processing on the third characteristic interface flow data to form user flow data;
step S202, analyzing, counting and restoring the user traffic data to form the detection data. Files are restored mainly aiming at protocols such as TTP/IMAP/POP/SMTP/FTP and the like according to configuration, and the types of the files comprise Office files, compression packets, PE files, script files, picture files and the like; meanwhile, suspicious flows such as abnormal protocols, abnormal flows, dynamic domain names, hidden channels and the like can be marked and counted.
Step S30, when the detection data is matched with a preset state, inquiring the information table, and acquiring keywords matched with the information table according to the information table; schematically, performing static detection and dynamic detection on the detection data, and judging whether the detection data has an attack behavior; the source tracing detector value at least comprises a feature library, wherein feature information of a virus feature library, a black and white file HASH library, an intrusion feature library, an attack feature library and a malicious IP/URL/domain name library is at least recorded in the feature library, and the feature information can effectively and accurately detect known Trojan horse, virus, bugs and malicious codes. Judging that the detection data is matched with a preset state when the detection data has an attack behavior; the APT judger at least comprises a static detection module, a dynamic detection module and a threat judgment module, wherein only a machine learning model is arranged in the dynamic detection module, the machine learning model adopts a time sequence analysis method, a Kill Chain analysis method and an entity-relationship analysis method to establish a behavior recognition model based on the threat, a detection basis is provided for dynamic detection, behavior analysis is carried out on suspicious flow according to the machine learning model by the dynamic detection, behavior analysis comprises Trojan communication behavior, hidden tunnel behavior, DGA domain name behavior, WEBSHELL control behavior, sensitive information leakage and stealing behavior, and unknown threats can be effectively detected. And the threat judgment module judges whether the attack occurs according to the configured threshold parameter and the threat index.
And step S40, tracing the source characteristic data matched with the keywords according to the keywords. If the threat exists, inquiring user information according to the user IP and the tunnel ID; the source tracing inquirer can accurately trace the source in the first time according to the user information and basic data (such as user network registration information, base station position information and the like) provided by an operator, and provides powerful technical support and guarantee for the quick response of an attack event.
As a further preferred embodiment, the above-mentioned method for tracing 5G network APT attacks based on the SA framework, wherein forming a keyword according to the source feature data and the tunnel information, and storing an information table that is established based on the keyword and matched with the warning data specifically includes:
step S101, acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data; the first feature interface traffic receives first feature interface traffic data in a DPDK mode,
step S102, acquiring source characteristic data according to the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data; extracting SUCI or 5G-GUTI of the UE through analyzing messages such as Registration Request, Service Request and the like through the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data, extracting SUPI in combination with an encryption and decryption process, extracting TAC and Cell Id from PDU Session Resource modification messages, and extracting information such as DNN and GPSI from SM context. And continuously acquiring the IMSI, MSISDN, TAC, CellID and APN of the user according to the analysis result, and simultaneously carrying user IP and tunnel ID information.
And S103, forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information. The method specifically comprises the following steps:
step S1031, obtaining key data matched with the source characteristic data and address data matched with the source characteristic data according to the source characteristic data;
and S1032, forming the warning data according to the key data, the address data and the tunnel information.
Illustratively, for example, the obtained IMSI, MSISDN, TAC, CellID, APN, user IP, and tunnel ID information of the user are encapsulated into a UDP data packet to form the warning data, and the warning data is output in a DPDK mode or a SOCKET mode.
As a further preferred embodiment, the above-mentioned method for tracing 5G network APT attacks based on an SA framework, wherein the querying the information table when the detected data matches a preset state, and obtaining the keyword matched with the information table according to the information table specifically includes:
performing static detection and dynamic detection on the detection data, and judging whether the detection data has an attack behavior;
judging that the detection data is matched with a preset state when the detection data has an attack behavior;
and inquiring the information table, and acquiring the keywords matched with the information table according to the information table.
Example two
As shown in fig. 2, in another aspect, the invention relates to a 5G network APT attack tracing system based on SA architecture, wherein: the APT early warning unit is deployed on the 5G core network side, for example, between AN (R) AN and a UPF. By means of a light splitting mirror image mode, the first characteristic interface flow, the second characteristic interface flow and the eleventh characteristic interface flow can be accessed to the flow collection module, and the third characteristic interface flow can be accessed to the third flow receiver.
The user information storage module is used for forming a keyword according to the source characteristic data and the tunnel information and storing an information table which is established based on the keyword and matched with the warning data;
the information acquisition module is used for acquiring third feature interface traffic data, receiving the traffic data (also called a packet receiving) by the third feature interface in a DPDK mode, and analyzing and processing the third feature interface traffic data into detection data; wherein the information acquisition module specifically comprises
The third flow receiver is used for acquiring third characteristic interface flow data and decapsulating the third characteristic interface flow data to form user flow data;
and the processing module is used for analyzing, counting and restoring the user flow data to form the detection data. The processing module mainly restores files according to configuration aiming at protocols such as TTP/IMAP/POP/SMTP/FTP and the like, wherein the types of the files comprise Office files, compressed packets, PE files, script files, picture files and the like; meanwhile, suspicious flows such as abnormal protocols, abnormal flows, dynamic domain names, hidden channels and the like can be marked and counted. And the third flow receiver and the processing module realize the load-balanced receiving and processing of the user plane flow of the third feature interface flow data.
The judging module is used for inquiring the information table when the detection data is matched with a preset state, and acquiring keywords matched with the information table according to the information table; the judging module at least comprises a feature library, wherein the feature library at least records feature information of a virus feature library, a black-and-white file HASH library, an intrusion feature library, an attack feature library and a malicious IP/URL/domain name library, and the feature information can effectively and accurately detect known Trojan horses, viruses, bugs and malicious codes.
The APT judger is used for judging that the detection data is matched with a preset state when the detection data has an attack behavior; the APT judger at least comprises a static detection module, a dynamic detection module and a threat judgment module, wherein only a machine learning model is arranged in the dynamic detection module, the machine learning model adopts a time sequence analysis method, a KillChain analysis method and an entity-relationship analysis method to establish a behavior recognition model based on the threat, a detection basis is provided for dynamic detection, behavior analysis is carried out on suspicious flow according to the machine learning model by the dynamic detection, behavior analysis comprises Trojan communication behavior, hidden tunnel behavior, DGA domain name behavior, WEBSHELL control behavior, sensitive information leakage and stealing behavior, and unknown threats can be effectively detected. And the threat judgment module judges whether the attack occurs according to the configured threshold parameter and the threat index.
And the source tracing module traces the source characteristic data matched with the keywords according to the keywords. The method specifically comprises the following steps:
and the source tracing inquirer is used for inquiring the information table and acquiring the keywords matched with the information table according to the information table. If the threat exists, inquiring user information according to the user IP and the tunnel ID; the source tracing inquirer can accurately trace the source in the first time according to the user information and basic data (such as user network registration information, base station position information and the like) provided by an operator, and provides powerful technical support and guarantee for the quick response of an attack event.
As a further preferred embodiment, the SA architecture-based 5G network APT attack tracing system further includes a signaling analysis unit interacting with the APT early warning unit, where the signaling analysis unit includes:
the flow acquisition module is used for acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
the information flow analysis module is used for acquiring source characteristic data according to the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data; and the information flow analysis module receives the first characteristic interface flow data, the second characteristic interface flow data and the eleventh characteristic interface flow data so as to realize that the signaling flow of the first characteristic interface flow data, the second characteristic interface flow data and the eleventh characteristic interface flow data is load-balanced to a receiving processing thread.
And the information packaging module is used for forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information. The information encapsulation module analyzes messages such as Registration Request/Service Request, extracts SUCI or 5G-GUTI of UE, extracts SUPI in combination with an encryption and decryption process, extracts TAC and Cell Id from PDU Session Resource modification message, extracts IMSI, MSISDN, TAC, CellID, APN and the like, and encapsulates the IMSI, MSISDN, TAC, CellID, APN and the like into a UDP format data packet; and meanwhile, sending the encapsulated UDP user information data packet to an APT early warning unit in a DPDK mode or a SOCKET mode.
In another aspect, the present invention further provides a computer-readable storage medium, which stores a computer program, where the computer program, when executed by a processor, implements any one of the foregoing 5G network APT attack tracing methods based on the SA framework.
Those skilled in the art will understand that all or part of the steps in the method according to the above embodiments may be implemented by a program instructing related hardware to complete, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, etc.) or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (10)
1. A5G network APT attack tracing method based on an SA architecture is characterized by comprising the following steps:
forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established based on the keyword and matched with the warning data;
acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data;
when the detection data is matched with a preset state, inquiring the information table, and acquiring keywords matched with the information table according to the information table;
and tracing the source characteristic data matched with the keywords according to the keywords.
2. The method of claim 1, wherein forming a keyword according to the source feature data and tunnel information, and storing a table of information that is created based on the keyword and matches the alert data comprises:
acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
acquiring source characteristic data according to the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data;
and forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information.
3. The method according to claim 2, wherein the source tracing method of APT attack in 5G network based on SA architecture,
forming an alert data according to the source feature data, the address data matched with the source feature data, and the tunnel information specifically includes:
acquiring key data matched with the source characteristic data and address data matched with the source characteristic data according to the source characteristic data;
and forming the warning data according to the key data, the address data and the tunnel information.
4. The method of claim 1, wherein the obtaining of third feature interface traffic data and the analyzing and processing of the third feature interface traffic data into detection data specifically comprise obtaining third feature interface traffic data and the analyzing and processing of the third feature interface traffic data into detection data
Acquiring third characteristic interface flow data, and performing decapsulation processing on the third characteristic interface flow data to form user flow data;
and analyzing, counting and restoring the user traffic data to form the detection data.
5. The SA architecture-based 5G network APT attack tracing method according to claim 1, wherein: the specific steps of inquiring the information table when the detection data is matched with a preset state, and acquiring the keywords matched with the information table according to the information table include:
performing static detection and dynamic detection on the detection data, and judging whether the detection data has an attack behavior;
judging that the detection data is matched with a preset state when the detection data has an attack behavior;
and inquiring the information table, and acquiring the keywords matched with the information table according to the information table.
6. A5G network APT attack tracing system based on SA architecture is characterized in that: at least comprises an APT early warning unit which comprises,
the user information storage module is used for forming a keyword according to the source characteristic data and the tunnel information and storing an information table which is established based on the keyword and matched with the warning data;
the information acquisition module is used for acquiring third characteristic interface flow data and analyzing and processing the third characteristic interface flow data into detection data;
the judging module is used for inquiring the information table when the detection data is matched with a preset state, and acquiring keywords matched with the information table according to the information table;
and the source tracing module traces the source characteristic data matched with the keywords according to the keywords.
7. The SA-architecture-based 5G network APT attack tracing system according to claim 6, further comprising a signaling parsing unit interacting with the APT early warning unit, wherein the signaling parsing unit comprises:
the flow acquisition module is used for acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
the information flow analysis module is used for acquiring source characteristic data according to the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data;
and the information packaging module is used for forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information.
8. The SA architecture-based 5G network APT attack tracing system according to claim 7, wherein the information collection module specifically comprises
The third flow receiver is used for acquiring third characteristic interface flow data and decapsulating the third characteristic interface flow data to form user flow data;
and the processing module is used for analyzing, counting and restoring the user flow data to form the detection data.
9. The SA architecture-based 5G network APT attack tracing system according to claim 7, wherein: wherein, the judging module comprises:
the source tracing detector is used for performing static detection and dynamic detection on the detection data and judging whether the detection data has an attack behavior;
the APT judger is used for judging that the detection data is matched with a preset state when the detection data has an attack behavior;
and the source tracing inquirer is used for inquiring the information table and acquiring the keywords matched with the information table according to the information table.
10. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the SA framework-based 5G network APT attack tracing method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010360640.9A CN111641951B (en) | 2020-04-30 | 2020-04-30 | 5G network APT attack tracing method and system based on SA architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010360640.9A CN111641951B (en) | 2020-04-30 | 2020-04-30 | 5G network APT attack tracing method and system based on SA architecture |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111641951A true CN111641951A (en) | 2020-09-08 |
| CN111641951B CN111641951B (en) | 2023-10-24 |
Family
ID=72331903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010360640.9A Active CN111641951B (en) | 2020-04-30 | 2020-04-30 | 5G network APT attack tracing method and system based on SA architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111641951B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112203230A (en) * | 2020-09-28 | 2021-01-08 | 南京皓汉信息技术有限公司 | 5G identity information acquisition and position judgment method and device |
| CN112543198A (en) * | 2020-12-03 | 2021-03-23 | 恒安嘉新(北京)科技股份公司 | Honeypot monitoring method, honeypot core network element, equipment and storage medium |
| CN113114692A (en) * | 2021-04-16 | 2021-07-13 | 恒安嘉新(北京)科技股份公司 | 5G independent networking mobile network honeypot system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090282478A1 (en) * | 2008-05-09 | 2009-11-12 | Wu Jiang | Method and apparatus for processing network attack |
| US20150067858A1 (en) * | 2013-08-28 | 2015-03-05 | Cassidian Cybersecurity Sas | Detecting unwanted intrusions into an information network |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| US20160127395A1 (en) * | 2014-10-31 | 2016-05-05 | Cyber Crucible Inc. | System and method for network intrusion detection of covert channels based on off-line network traffic |
| CN107733913A (en) * | 2017-11-04 | 2018-02-23 | 武汉虹旭信息技术有限责任公司 | Based on 5G network attacks traceability system and its method |
| US20180367566A1 (en) * | 2016-02-29 | 2018-12-20 | Alibaba Group Holding Limited | Prevention and control method, apparatus and system for network attack |
-
2020
- 2020-04-30 CN CN202010360640.9A patent/CN111641951B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090282478A1 (en) * | 2008-05-09 | 2009-11-12 | Wu Jiang | Method and apparatus for processing network attack |
| US20150067858A1 (en) * | 2013-08-28 | 2015-03-05 | Cassidian Cybersecurity Sas | Detecting unwanted intrusions into an information network |
| US20160127395A1 (en) * | 2014-10-31 | 2016-05-05 | Cyber Crucible Inc. | System and method for network intrusion detection of covert channels based on off-line network traffic |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| US20180367566A1 (en) * | 2016-02-29 | 2018-12-20 | Alibaba Group Holding Limited | Prevention and control method, apparatus and system for network attack |
| CN107733913A (en) * | 2017-11-04 | 2018-02-23 | 武汉虹旭信息技术有限责任公司 | Based on 5G network attacks traceability system and its method |
Non-Patent Citations (4)
| Title |
|---|
| 张璐;: "APT检测及防御", 信息网络安全, no. 1 * |
| 曾玮琳;李贵华;陈锦伟;: "基于APT入侵的网络安全防护系统模型及其关键技术研究", 现代电子技术, no. 17 * |
| 谭彬;梁业裕;李伟渊;: "基于流量的攻击溯源分析和防护方法研究", 电信工程技术与标准化, no. 12 * |
| 赵梦;: "基于大数据环境的网络安全态势感知", 信息网络安全, no. 09 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112203230A (en) * | 2020-09-28 | 2021-01-08 | 南京皓汉信息技术有限公司 | 5G identity information acquisition and position judgment method and device |
| CN112543198A (en) * | 2020-12-03 | 2021-03-23 | 恒安嘉新(北京)科技股份公司 | Honeypot monitoring method, honeypot core network element, equipment and storage medium |
| CN112543198B (en) * | 2020-12-03 | 2023-06-02 | 恒安嘉新(北京)科技股份公司 | Honeypot monitoring method, honeypot core network element, equipment and storage medium |
| CN113114692A (en) * | 2021-04-16 | 2021-07-13 | 恒安嘉新(北京)科技股份公司 | 5G independent networking mobile network honeypot system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111641951B (en) | 2023-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111147504B (en) | Threat detection method, apparatus, device and storage medium | |
| US10873597B1 (en) | Cyber attack early warning system | |
| CN112769821B (en) | Threat response method and device based on threat intelligence and ATT & CK | |
| CN111800412B (en) | Advanced sustainable threat tracing method, system, computer equipment and storage medium | |
| CN111277587A (en) | Malicious encrypted traffic detection method and system based on behavior analysis | |
| US9277378B2 (en) | Short message service validation engine | |
| KR102092045B1 (en) | Method for malicious activity detection in a mobile station | |
| CN111641951B (en) | 5G network APT attack tracing method and system based on SA architecture | |
| CN108134761B (en) | APT detection system and device | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| CN114465739A (en) | Abnormality recognition method and system, storage medium, and electronic apparatus | |
| KR102119718B1 (en) | Technique for Detecting Suspicious Electronic Messages | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN111049786A (en) | Network attack detection method, device, equipment and storage medium | |
| Alzahrani et al. | SMS mobile botnet detection using a multi-agent system: research in progress | |
| CN112513848A (en) | Privacy protected content classification | |
| CN113518042B (en) | Data processing method, device, equipment and storage medium | |
| CN103401845A (en) | Detection method and device for website safety | |
| He et al. | On‐Device Detection of Repackaged Android Malware via Traffic Clustering | |
| Niboucha et al. | Zero-touch security management for mMTC network slices: DDoS attack detection and mitigation | |
| KR20140126633A (en) | Method and appratus for detecting malicious message | |
| CN113965418B (en) | Attack success judgment method and device | |
| Johnson et al. | Sms botnet detection for android devices through intent capture and modeling | |
| CN110198298A (en) | A kind of information processing method, device and storage medium | |
| Gutierrez et al. | An attack-based filtering scheme for slow rate denial-of-service attack detection in cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |