CN111641951B - 5G network APT attack tracing method and system based on SA architecture - Google Patents
5G network APT attack tracing method and system based on SA architecture Download PDFInfo
- Publication number
- CN111641951B CN111641951B CN202010360640.9A CN202010360640A CN111641951B CN 111641951 B CN111641951 B CN 111641951B CN 202010360640 A CN202010360640 A CN 202010360640A CN 111641951 B CN111641951 B CN 111641951B
- Authority
- CN
- China
- Prior art keywords
- data
- characteristic
- matched
- information table
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000001514 detection method Methods 0.000 claims abstract description 80
- 230000006399 behavior Effects 0.000 claims description 31
- 238000004458 analytical method Methods 0.000 claims description 20
- 230000003068 static effect Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000005206 flow analysis Methods 0.000 claims description 4
- 238000004806 packaging method and process Methods 0.000 claims description 4
- 230000011664 signaling Effects 0.000 description 8
- 238000010801 machine learning Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 238000012300 Sequence Analysis Methods 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a 5G network APT attack tracing method based on SA architecture, which is characterized by comprising the following steps: forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established to be matched with the warning data based on the keyword; acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data; inquiring the information table when the detection data is matched with a preset state, and acquiring keywords matched with the information table according to the information table; and tracing back the source characteristic data matched with the keywords according to the keywords.
Description
Technical Field
The application relates to the technical field of information security, in particular to a 5G network APT attack tracing method and system based on an SA architecture.
Background
The fifth generation mobile communication system (5G) is an important driving force for realizing the digital transformation of key information infrastructure and economy society of everything interconnection as an important direction of the evolution and upgrade of the new generation information communication technology. According to IDC predictions, the global Internet of things equipment number would reach 416 billions by 2025. Industrial internet, internet of vehicles, smart grid, smart city, military network, etc. are all developing the architecture on 5G networks. It can be said that, from people interconnection, things interconnection and people networking, the 5G technology finally constructs an intelligent world with everything interconnection for us. The 5G provides more abundant services and better user experience for users at a faster speed, a larger capacity and a lower cost, and simultaneously brings more security challenges, the facing security threats are more extensive and complex, the cloud computing, the artificial intelligence, the big data, the Internet of things, the blockchain and other emerging technologies are continuously developed, the previous security boundary is broken, various malicious attacks are more rampant, and the network security threat is ubiquitous. Advanced persistent threat (Advanced Persistent Threat, APT for short) is an attack mode that can bypass various traditional security detection protection measures and steal core data and various informations of a network information system by means of careful camouflage, fixed point attack, long-term latency, continuous penetration and the like. The principle of the APT attack is more advanced and advanced than other attack forms, and the advanced nature of the APT attack is mainly that the APT needs to accurately collect information of a business process and a target system of an attack object before the attack is launched. During the process of collecting information, an attacker actively digs vulnerabilities of trusted systems and application programs of attacked objects, and forms a C & C network required by the attacker on the basis of the vulnerabilities, and the behavior does not take any action which can trigger the alarm of the traditional security equipment or cause doubt, so that the system or the program is more similar to the system or the program which is integrated into the attacked object. With the access of various devices of the 5G network, APT attack under the mobile network also shows explosive growth, the traditional APT detection system is generally aimed at a fixed network, the tracing is limited to the IP dimension, and the timeliness and the accuracy of the tracing cannot be effectively ensured; at present, 5G is commercially available, a large amount of 5G deployment is developed in the global scope, 5G networking of NSA architecture is a 4G-5G transitional scheme, 5G networking of SA architecture is a future necessary trend, and therefore research on an APT attack traceability system of a 5G network based on SA architecture is imperative and significant.
Disclosure of Invention
The application aims to provide a 5G network APT attack tracing method and system based on an SA architecture, which are used for solving the APT attack detection and tracing problems in the current 5G network environment.
In one aspect, the application provides a 5G network APT attack tracing method based on SA architecture, which comprises the following steps:
forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established to be matched with the warning data based on the keyword;
acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data;
inquiring the information table when the detection data is matched with a preset state, and acquiring keywords matched with the information table according to the information table;
and tracing back the source characteristic data matched with the keywords according to the keywords.
Preferably, the method for tracing an APT attack of a 5G network based on an SA architecture, wherein forming a keyword according to the source feature data and the tunnel information, and storing an information table for establishing a match with the alert data based on the keyword, specifically includes:
acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
acquiring source characteristic data according to the first characteristic interface flow data and/or the second characteristic interface flow data and/or the eleventh characteristic interface flow data;
and forming alarm data according to the source characteristic data, address data matched with the source characteristic data and tunnel information.
Preferably, the above-mentioned 5G network APT attack tracing method based on SA architecture, wherein,
forming a warning data according to the source characteristic data, address data matched with the source characteristic data and tunnel information specifically comprises the following steps:
acquiring key data matched with the source characteristic data and address data matched with the source characteristic data according to the source characteristic data;
and forming the warning data according to the key data, the address data and the tunnel information.
Preferably, the method for tracing an APT attack of a 5G network based on an SA architecture includes acquiring traffic data of a third feature interface, and analyzing the traffic data of the third feature interface to obtain detection data, where the detection data specifically includes
Obtaining third characteristic interface flow data, and performing unpacking processing on the third characteristic interface flow data to form user flow data;
and performing analysis statistics and restoration on the user flow data to form the detection data.
Preferably, the method for tracing an APT attack of a 5G network based on an SA architecture, wherein, when the detected data matches a preset state, querying the information table, and acquiring a keyword matched with the information table according to the information table specifically includes:
performing static detection and dynamic detection on the detection data, and judging whether the detection data has attack behaviors or not;
judging that the detection data is matched with a preset state under the condition that the detection data has an attack behavior;
and inquiring the information table, and acquiring keywords matched with the information table according to the information table.
On the other hand, the application relates to a 5G network APT attack tracing system based on SA architecture, wherein: at least comprises an APT early warning unit, a control unit and a control unit,
the user information storage module is used for forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established to be matched with the warning data based on the keyword;
the information acquisition module is used for acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data;
the judging module is used for inquiring the information table when the detection data are matched with a preset state, and acquiring keywords matched with the information table according to the information table;
and the tracing module traces back the source characteristic data matched with the keywords according to the keywords.
Preferably, the system for tracing an APT attack of a 5G network based on an SA architecture further includes a signaling analysis unit for interacting with information of the APT early-warning unit, where the signaling analysis unit includes:
the flow acquisition module is used for acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
the information flow analysis module is used for acquiring source characteristic data according to the first characteristic interface flow data and/or the second characteristic interface flow data and/or the eleventh characteristic interface flow data;
and the information packaging module is used for forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information.
Preferably, the system for tracing an attack on a 5G network APT based on an SA architecture, wherein the information acquisition module specifically includes
The third flow receiver is used for acquiring third characteristic interface flow data, and performing unpacking processing on the third characteristic interface flow data to form user flow data;
and the processing module is used for carrying out analysis statistics and restoration on the user flow data to form the detection data.
Preferably, the foregoing 5G network APT attack tracing system based on SA architecture, wherein the judging module includes:
the traceability detector is used for carrying out static detection and dynamic detection on the detection data and judging whether the detection data has attack behaviors or not;
the APT judging device is used for judging that the detection data is matched with a preset state in the state that the detection data has an attack behavior;
and the traceability inquirer is used for inquiring the information table and acquiring keywords matched with the information table according to the information table.
In still another aspect, the present application further provides a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements a 5G network APT attack tracing method based on an SA architecture as described in any one of the above.
Compared with the prior art, the application has the beneficial effects that:
the application can effectively detect APT attack under 5G network, quickly trace source, timely prevent threat and better protect data safety; under the 5G network, the terminal has signaling messages such as registration request, service request and the like, when the terminal initiates an attack, the terminal has access to the network, at the moment, the signaling analysis platform has already sent the terminal user information to the APT detection platform, and the user information is registered in an operator website, thus tracing the source truly and effectively; and detecting the APT attack event at the first time, and tracing back to the attacker information according to the attack source IP quickly without carrying out other additional associated queries. The attack source and the specific user are associated through the signaling surface, when the attack occurs, the specific person can be positioned, and meanwhile, the position information of the attack initiator can be accurately determined.
Drawings
Fig. 1 is a diagram illustrating a system acquisition point at a 5G core network side according to an embodiment of the present application;
fig. 2 is a diagram of a tracing system of an APT attack of a 5G network based on an SA architecture according to an embodiment of the present application.
Detailed Description
The principles and features of the present application are described below with reference to the drawings, the illustrated embodiments are provided for the purpose of illustrating the application and are not to be construed as limiting the scope of the application.
Example 1
As shown in fig. 1, the present application provides a 5G network APT attack tracing method based on SA architecture, including:
s10, forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established to be matched with the warning data based on the keyword;
s20, acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data; and the third characteristic interface receives the traffic data of the third characteristic interface in a DPDK mode. The method specifically comprises the following steps:
step S201, obtaining third characteristic interface flow data, and performing unpacking processing on the third characteristic interface flow data to form user flow data;
and step S202, performing analysis statistics and restoration on the user flow data to form the detection data. The method mainly aims at the TTP/IMAP/POP/SMTP/FTP and other protocols to restore files according to configuration, wherein the types of the files comprise Office files, compression packages, PE files, script files, picture files and the like; meanwhile, suspicious traffic such as abnormal protocols, abnormal traffic, dynamic domain names, hidden channels and the like can be marked and counted.
Step S30, matching a preset state with the detection data, inquiring the information table, and acquiring keywords matched with the information table according to the information table; illustratively, static detection and dynamic detection are carried out on the detection data, and whether the detection data has attack behaviors is judged; the tracing detector value at least comprises a feature library, and the feature library is internally recorded with at least the feature information of a virus feature library, a black-and-white file HASH library, an intrusion feature library, an attack feature library and a malicious IP/URL/domain name library, and the feature information can effectively and accurately detect known Trojan horse, virus, loopholes and malicious codes. Judging that the detection data is matched with a preset state under the condition that the detection data has an attack behavior; the APT judging device at least comprises a static detection module, a dynamic detection module and a threat judging module, wherein the dynamic detection module is internally provided with only a machine learning model, the machine learning model adopts a time sequence analysis method, a Kill Chain analysis method and an entity-relation analysis method to establish a threat-based behavior recognition model, a detection basis is provided for dynamic detection, and the dynamic detection carries out behavior analysis on suspicious traffic according to the machine learning model, and the behavior analysis comprises Trojan horse communication behavior, hidden tunnel behavior, DGA domain name behavior, WEBSHELL control behavior, sensitive information leakage and stealing behavior, so that unknown threats can be effectively detected. The threat judging module judges whether the attack occurs according to the configured threshold parameter and threat index.
And step S40, tracing back to the source characteristic data matched with the keywords according to the keywords. If the threat is judged to exist, inquiring user information according to the user IP and the tunnel ID; the traceability inquirer can accurately trace the source, who attacks and where attacks according to the user information and basic data (such as user website registration information, base station position information and the like) provided by an operator in the first time, and provides powerful technical support and guarantee for quick response of attack events.
As a further preferred embodiment, the foregoing method for tracing an APT attack of a 5G network based on an SA architecture, wherein forming a keyword according to the source feature data and the tunnel information, and storing an information table that is established to match with the alert data based on the keyword specifically includes:
step S101, acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data; the first characteristic interface traffic receives the first characteristic interface traffic data in DPDK manner,
step S102, source characteristic data are obtained according to the first characteristic interface flow data, the second characteristic interface flow data and/or the eleventh characteristic interface flow data; and analyzing Registration Request, deregistration Request, service Request and other messages through the first feature interface flow data, the second feature interface flow data and/or the eleventh feature interface flow data, extracting SUCI or 5G-GUTI of the UE, extracting SUPI in combination with encryption and decryption processes, extracting TAC and Cell Id from PDU Session Resource Modify messages, and extracting DNN, GPSI and other information from SM context. And IMSI, MSISDN, TAC, cellID, APN of the user is continuously acquired according to the analysis result, and the user IP and the tunnel ID information are carried at the same time.
Step S103, forming a warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information. The method specifically comprises the following steps:
step S1031, obtaining key data matched with the source characteristic data and address data matched with the source characteristic data according to the source characteristic data;
step S1032, forming the warning data according to the key data, the address data and the tunnel information.
Illustratively, for example, IMSI, MSISDN, TAC, cellID, APN of the user, user IP and tunnel ID information are acquired, encapsulated into UDP packets to form the alert data, and output by DPDK or socks.
As a further preferred embodiment, the foregoing method for tracing an APT attack of a 5G network based on an SA architecture, wherein, when the detected data matches a preset state, querying the information table, and obtaining, according to the information table, a keyword matched with the information table specifically includes:
performing static detection and dynamic detection on the detection data, and judging whether the detection data has attack behaviors or not;
judging that the detection data is matched with a preset state under the condition that the detection data has an attack behavior;
and inquiring the information table, and acquiring keywords matched with the information table according to the information table.
Example two
As shown in fig. 2, in another aspect, the present application is a 5G network APT attack tracing system based on SA architecture, wherein: the system at least comprises AN APT early warning unit, wherein the APT early warning unit can be deployed on the 5G core network side, for example, can be deployed between (R) AN and UPF. The first characteristic interface flow, the second characteristic interface flow and the eleventh characteristic interface flow can be connected to the flow acquisition module in a beam-splitting mirror image mode, and the third characteristic interface flow is connected to the third flow receiver.
The user information storage module is used for forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established to be matched with the warning data based on the keyword;
the information acquisition module is used for acquiring flow data of a third characteristic interface, wherein the third characteristic interface receives the flow data (also called as packet receiving) in a DPDK mode, and analyzes and processes the flow data of the third characteristic interface into detection data; wherein the information acquisition module specifically comprises
The third flow receiver is used for acquiring third characteristic interface flow data, and performing unpacking processing on the third characteristic interface flow data to form user flow data;
and the processing module is used for carrying out analysis statistics and restoration on the user flow data to form the detection data. The processing module is mainly used for restoring files according to configuration aiming at TTP/IMAP/POP/SMTP/FTP and other protocols, wherein the types of the files comprise Office files, compression packages, PE files, script files, picture files and the like; meanwhile, suspicious traffic such as abnormal protocols, abnormal traffic, dynamic domain names, hidden channels and the like can be marked and counted. The third flow receiver and the processing module receive the processing threads in a load balancing manner for the flow data user plane flow of the third characteristic interface.
The judging module is used for inquiring the information table when the detection data are matched with a preset state, and acquiring keywords matched with the information table according to the information table; the judging module at least comprises a feature library, wherein the feature library is internally recorded with at least the feature information of a virus feature library, a black-and-white file HASH library, an intrusion feature library, an attack feature library and a malicious IP/URL/domain name library, and the feature information can effectively and accurately detect known Trojan horse, virus, loopholes and malicious codes.
The APT judging device is used for judging that the detection data is matched with a preset state in the state that the detection data has an attack behavior; the APT judging device at least comprises a static detection module, a dynamic detection module and a threat judging module, wherein the dynamic detection module is internally provided with only a machine learning model, the machine learning model adopts a time sequence analysis method, a KillChain analysis method and an entity-relation analysis method to establish a threat-based behavior recognition model, a detection basis is provided for dynamic detection, and the dynamic detection carries out behavior analysis on suspicious traffic according to the machine learning model, and the behavior analysis comprises Trojan horse communication behavior, hidden tunnel behavior, DGA domain name behavior, WEBSHELL control behavior, sensitive information leakage and stealing behavior, so that unknown threats can be effectively detected. The threat judging module judges whether the attack occurs according to the configured threshold parameter and threat index.
And the tracing module traces back the source characteristic data matched with the keywords according to the keywords. The method specifically comprises the following steps:
and the traceability inquirer is used for inquiring the information table and acquiring keywords matched with the information table according to the information table. If the threat is judged to exist, inquiring user information according to the user IP and the tunnel ID; the traceability inquirer can accurately trace the source, who attacks and where attacks according to the user information and basic data (such as user website registration information, base station position information and the like) provided by an operator in the first time, and provides powerful technical support and guarantee for quick response of attack events.
As a further preferred embodiment, the foregoing 5G network APT attack tracing system based on SA architecture further includes a signaling analysis unit that interacts with the APT early warning unit information, where the signaling analysis unit includes:
the flow acquisition module is used for acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
the information flow analysis module is used for acquiring source characteristic data according to the first characteristic interface flow data and/or the second characteristic interface flow data and/or the eleventh characteristic interface flow data; and the information flow analysis module receives the first characteristic interface flow data, the second characteristic interface flow data and the eleventh characteristic interface flow data so as to realize that signaling flow of the first characteristic interface flow data, the second characteristic interface flow data and the eleventh characteristic interface flow data are balanced to a receiving processing thread.
And the information packaging module is used for forming warning data according to the source characteristic data, the address data matched with the source characteristic data and the tunnel information. The information packaging module analyzes Registration Request/Deregistration Request/Service Request and other messages, extracts SUCI or 5G-GUTI of the UE, extracts SUPI in combination with encryption and decryption processes, extracts TAC and Cell Id from PDU Session Resource Modify messages, extracts IMSI, MSISDN, TAC, cell ID, APN and the like, and packages the data into UDP format data packets; and simultaneously, the encapsulated UDP user information data packet is sent to the APT early warning unit in a DPDK mode or a SOCKET mode.
In still another aspect, the present application further provides a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements a 5G network APT attack tracing method based on an SA architecture as described in any one of the above.
Those skilled in the art will appreciate that all or part of the steps in implementing the methods of the embodiments described above may be implemented by a program stored in a storage medium, including instructions for causing a device (which may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the methods of the embodiments of the application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples of carrying out the application and that various changes in form and details may be made therein without departing from the spirit and scope of the application.
Claims (7)
1. A5G network APT attack tracing method based on SA architecture is characterized by comprising the following steps:
forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established to be matched with the warning data based on the keyword;
acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data based on the SA architecture; acquiring source characteristic data according to the first characteristic interface flow data and/or the second characteristic interface flow data and/or the eleventh characteristic interface flow data; acquiring key data matched with the source characteristic data and address data matched with the source characteristic data according to the source characteristic data;
forming the warning data according to the key data, the address data and the tunnel information;
acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data;
judging that the detection data is matched with a preset state under the condition that the detection data has an attack behavior;
inquiring the information table when the detection data is matched with a preset state, and acquiring keywords matched with the information table according to the information table;
and tracing back the source characteristic data matched with the keywords according to the keywords.
2. The method for tracing an attack on a 5G network APT based on SA architecture according to claim 1, wherein obtaining third feature interface traffic data, analyzing the third feature interface traffic data to obtain detection data comprises
Obtaining third characteristic interface flow data, and performing unpacking processing on the third characteristic interface flow data to form user flow data;
and performing analysis statistics and restoration on the user flow data to form the detection data.
3. The 5G network APT attack tracing method based on SA architecture according to claim 1, wherein: wherein, in the detection data matching preset state, inquiring the information table, and obtaining the keyword matched with the information table according to the information table specifically comprises:
performing static detection and dynamic detection on the detection data, and judging whether the detection data has attack behaviors or not;
judging that the detection data is matched with a preset state under the condition that the detection data has an attack behavior;
and inquiring the information table, and acquiring keywords matched with the information table according to the information table.
4. A5G network APT attack traceability system based on SA architecture is characterized in that: at least comprises an APT early warning unit, a control unit and a control unit,
the user information storage module is used for forming a keyword according to the source characteristic data and the tunnel information, and storing an information table which is established to be matched with the warning data based on the keyword;
the flow acquisition module is used for acquiring first characteristic interface flow data, second characteristic interface flow data and eleventh characteristic interface flow data;
the information flow analysis module is used for acquiring source characteristic data according to the first characteristic interface flow data and/or the second characteristic interface flow data and/or the eleventh characteristic interface flow data based on the SA architecture;
the information packaging module is used for acquiring key data matched with the source characteristic data and address data matched with the source characteristic data according to the source characteristic data; forming the warning data according to the key data, the address data and the tunnel information;
the information acquisition module is used for acquiring third characteristic interface flow data, and analyzing and processing the third characteristic interface flow data into detection data;
the judging module is used for inquiring the information table when the detection data are matched with a preset state, and acquiring keywords matched with the information table according to the information table;
the judging module comprises an APT judging device which is used for judging that the detection data is matched with a preset state in the state that the detection data has attack behaviors;
and the tracing module traces back the source characteristic data matched with the keywords according to the keywords.
5. The system for tracing an attack on a 5G network APT based on an SA architecture according to claim 4, wherein the information acquisition module comprises
The third flow receiver is used for acquiring third characteristic interface flow data, and performing unpacking processing on the third characteristic interface flow data to form user flow data;
and the processing module is used for carrying out analysis statistics and restoration on the user flow data to form the detection data.
6. The SA architecture-based 5G network APT attack traceability system according to claim 5, wherein: wherein, the judging module further comprises:
the traceability detector is used for carrying out static detection and dynamic detection on the detection data and judging whether the detection data has attack behaviors or not;
and the traceability inquirer is used for inquiring the information table and acquiring keywords matched with the information table according to the information table.
7. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a 5G network APT attack tracing method based on an SA architecture according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010360640.9A CN111641951B (en) | 2020-04-30 | 2020-04-30 | 5G network APT attack tracing method and system based on SA architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010360640.9A CN111641951B (en) | 2020-04-30 | 2020-04-30 | 5G network APT attack tracing method and system based on SA architecture |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111641951A CN111641951A (en) | 2020-09-08 |
| CN111641951B true CN111641951B (en) | 2023-10-24 |
Family
ID=72331903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010360640.9A Active CN111641951B (en) | 2020-04-30 | 2020-04-30 | 5G network APT attack tracing method and system based on SA architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111641951B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112203230B (en) * | 2020-09-28 | 2022-07-12 | 南京皓汉信息技术有限公司 | 5G identity information acquisition and position judgment method and device |
| CN112543198B (en) * | 2020-12-03 | 2023-06-02 | 恒安嘉新(北京)科技股份公司 | Honeypot monitoring method, honeypot core network element, equipment and storage medium |
| CN113114692A (en) * | 2021-04-16 | 2021-07-13 | 恒安嘉新(北京)科技股份公司 | 5G independent networking mobile network honeypot system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN107733913A (en) * | 2017-11-04 | 2018-02-23 | 武汉虹旭信息技术有限责任公司 | Based on 5G network attacks traceability system and its method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101282340B (en) * | 2008-05-09 | 2010-09-22 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for processing network attack |
| FR3010209B1 (en) * | 2013-08-28 | 2015-08-21 | Cassidian Cybersecurity Sas | METHOD FOR DETECTING UNSOLICITED INTRUSIONS IN AN INFORMATION NETWORK, DEVICE, COMPUTER PROGRAM PRODUCT, AND CORRESPONDING STORAGE MEDIUM |
| CA2966408C (en) * | 2014-10-31 | 2019-11-05 | Cyber Crucible Inc. | A system and method for network intrusion detection of covert channels based on off-line network traffic |
| CN107135187A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | Preventing control method, the apparatus and system of network attack |
-
2020
- 2020-04-30 CN CN202010360640.9A patent/CN111641951B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN107733913A (en) * | 2017-11-04 | 2018-02-23 | 武汉虹旭信息技术有限责任公司 | Based on 5G network attacks traceability system and its method |
Non-Patent Citations (4)
| Title |
|---|
| APT检测及防御;张璐;;信息网络安全(S1);全文 * |
| 基于APT入侵的网络安全防护系统模型及其关键技术研究;曾玮琳;李贵华;陈锦伟;;现代电子技术(17);全文 * |
| 基于大数据环境的网络安全态势感知;赵梦;;信息网络安全(09);全文 * |
| 基于流量的攻击溯源分析和防护方法研究;谭彬;梁业裕;李伟渊;;电信工程技术与标准化(12);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111641951A (en) | 2020-09-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111641951B (en) | 5G network APT attack tracing method and system based on SA architecture | |
| US10873597B1 (en) | Cyber attack early warning system | |
| CN111147504B (en) | Threat detection method, apparatus, device and storage medium | |
| CN111800412B (en) | Advanced sustainable threat tracing method, system, computer equipment and storage medium | |
| Bringer et al. | A survey: Recent advances and future trends in honeypot research | |
| US9277378B2 (en) | Short message service validation engine | |
| JP2016136735A (en) | System, device, program, and method for protocol fingerprint acquisition and evaluation correlation | |
| CA3159619C (en) | Packet processing method and apparatus, device, and computer-readable storage medium | |
| KR102119718B1 (en) | Technique for Detecting Suspicious Electronic Messages | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN113765846B (en) | Intelligent detection and response method and device for network abnormal behaviors and electronic equipment | |
| CN111049781B (en) | Method, device, equipment and storage medium for detecting rebound type network attack | |
| Alzahrani et al. | SMS mobile botnet detection using a multi-agent system: research in progress | |
| CN113518042B (en) | Data processing method, device, equipment and storage medium | |
| CN108768934B (en) | Malicious program release detection method, device and medium | |
| CN111783092B (en) | Malicious attack detection method and system for communication mechanism between Android applications | |
| Wang et al. | What you see predicts what you get—lightweight agent‐based malware detection | |
| CN110719271A (en) | Combined defense method for bypass flow detection equipment and terminal protection equipment | |
| Hutchinson et al. | Forensic analysis of spy applications in android devices | |
| WO2013097493A1 (en) | Ips detection processing method, network security device and system | |
| KR101473652B1 (en) | Method and appratus for detecting malicious message | |
| Bailey | Moving 2 mishap: M2M's impact on privacy and safety | |
| CN113965418B (en) | Attack success judgment method and device | |
| Patel et al. | Security Issues, Attacks and Countermeasures in Layered IoT Ecosystem. | |
| CN113992443B (en) | Cloud sandbox flow processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |