CN111859374A - Method, device and system for detecting social engineering attack event - Google Patents

Method, device and system for detecting social engineering attack event Download PDF

Info

Publication number
CN111859374A
CN111859374A CN202010698590.5A CN202010698590A CN111859374A CN 111859374 A CN111859374 A CN 111859374A CN 202010698590 A CN202010698590 A CN 202010698590A CN 111859374 A CN111859374 A CN 111859374A
Authority
CN
China
Prior art keywords
event
social engineering
attack event
feature
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010698590.5A
Other languages
Chinese (zh)
Other versions
CN111859374B (en
Inventor
冯福伟
李鹏超
尚程
张振涛
何能强
梁彧
田野
傅强
王杰
杨满智
蔡琳
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202010698590.5A priority Critical patent/CN111859374B/en
Publication of CN111859374A publication Critical patent/CN111859374A/en
Application granted granted Critical
Publication of CN111859374B publication Critical patent/CN111859374B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method, a device and a system for detecting a social engineering attack event. The method is applied to a honeypot system and comprises the following steps: capturing a network attack event; performing feature matching on the network attack event according to a social engineering knowledge base and a social engineering detection rule base; and determining whether the network attack event is a social engineering attack event or not according to the matching result. The technical scheme of the embodiment of the invention can realize the high-efficiency and accurate detection of the social engineering attack event.

Description

Method, device and system for detecting social engineering attack event
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method, a device and a system for detecting a social engineering attack event.
Background
The high-speed popularization of the internet and the mobile internet makes the access of the common public to the network easier, and people can enjoy the convenience of the internet, and meanwhile, due to the lack of network security awareness, the attack on users by means of phishing websites, mails, social networks and the like through the internet becomes the first choice of social engineering attackers.
Currently, the detection technology for social engineering attack events is mainly implemented by using traditional security detection tools, such as an intrusion detection system, a virus detection system, a spam filtering system, and the like. However, in the conventional security detection tool, detection objects mainly include viruses, trojans, worms, botnets, malicious mails, malicious links, malicious websites and the like, and information related to a person cannot be detected, and the attack target of social engineering attack is a person, so that the detection capability of the conventional detection tool is greatly restricted by the difference of the objects. Secondly, the conventional security detection tool is generally deployed at a specific position of an entrance and an exit of an enterprise and a service system, and cannot be applied to a large-scale network environment, and each detection point is independent from each other, data is shared independently, and an attack event is usually evaluated according to a detection result of a certain detection point, so that the detection effect of the attack event is poor.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a system for detecting a social engineering attack event, which are used for efficiently and accurately detecting the social engineering attack event.
In a first aspect, an embodiment of the present invention provides a method for detecting a social engineering attack event, which is applied to a honeypot system, and includes:
Capturing a network attack event;
performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base;
and determining whether the network attack event is a social engineering attack event or not according to the matching result.
Optionally, performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base, including:
extracting the characteristics of the network attack event to obtain the event characteristics of the network attack event;
matching the attacker characteristics included in the event characteristics with a target attacker characteristic set included in a social engineering knowledge base; and/or
And matching the psychological characteristics included in the event characteristics with a target psychological characteristic set included in a social engineering knowledge base, and matching the technical characteristics included in the event characteristics with a detection rule set included in a social engineering detection rule base.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result includes:
if the attacker characteristics included in the event characteristics belong to a target attacker characteristic set included in a social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or
And if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rule matched with the technical characteristics included in the event characteristics exists in the detection rule set included in the social engineering detection rule base, determining that the network attack event is the social engineering attack event.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result includes:
and if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rule matched with the technical characteristics included in the event characteristics does not exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a suspected social engineering attack event.
Optionally, the target psychological characteristic set at least includes: a horror feature, a decoy feature, a fear feature, a curiosity feature, a trust feature, a greedy feature, a sympathy feature, a guilt feature, and an authority feature;
the detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, Trojan detection rules, virus detection rules, and back door program detection rules.
In a second aspect, an embodiment of the present invention further provides a device for detecting a social engineering attack event, which is applied to a honeypot system, and includes:
the acquisition module is used for acquiring a network attack event;
the matching module is used for performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base;
and the determining module is used for determining whether the network attack event is a social engineering attack event according to the matching result.
In a third aspect, an embodiment of the present invention further provides a system for detecting a social engineering attack event, including: the honeypot system comprises honeypot systems, controllers, event analysis systems and data storage systems in preset quantity;
the honeypot system is used for executing the detection method of the social engineering attack event provided by any embodiment of the invention and sending the detected social engineering attack event to the controller;
the controller is used for storing the social engineering attack events sent by each honeypot system to the data storage system and issuing event analysis instructions corresponding to the social engineering attack events to the event analysis system;
and the event analysis system is used for performing correlation analysis on each social engineering attack event matched with the current event analysis instruction and updating a social engineering knowledge base and a social engineering detection rule base which are included in the data storage system according to the correlation analysis result.
Optionally, the honeypot system is further configured to send the detected suspected social engineering attack event to the controller;
the controller is also used for storing the suspected social engineering attack event sent by the honeypot system into the data storage system and sending an event type judgment instruction corresponding to the suspected social engineering attack event to the event analysis system;
and the event analysis system is also used for carrying out characteristic classification statistics on the suspected social engineering attack event matched with the current event type judgment instruction, if the characteristic statistic value is greater than a preset threshold value, determining the suspected social engineering attack event as the social engineering attack event, and otherwise, determining the suspected social engineering attack event as other types of network attack events.
Optionally, the event analysis system is further configured to add a social engineering attack identifier to each social engineering attack event in the data storage system.
Optionally, the honeypot system comprises a high interaction honeypot system.
In a fourth aspect, an embodiment of the present invention further provides a honeypot system, where the honeypot system includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for detecting a social engineering attack event provided by any of the embodiments of the present invention.
In a fifth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for detecting a social engineering attack event provided in any embodiment of the present invention.
According to the technical scheme of the embodiment of the invention, a honeypot system captures a network attack event; performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base; according to the matching result, whether the network attack event is the social engineering attack event or not is determined, the problem that the traditional safety detection tool in the prior art cannot effectively detect the social engineering attack event is solved, and the social engineering attack event can be efficiently and accurately detected.
Drawings
FIG. 1 is a flow chart of a method for detecting a social engineering attack event according to a first embodiment of the present invention;
fig. 2 is a schematic structural diagram of a detection apparatus for a social engineering attack event according to a second embodiment of the present invention;
fig. 3a is a schematic structural diagram of a system for detecting a social engineering attack event according to a third embodiment of the present invention;
FIG. 3b is a flowchart of a method for detecting a social engineering attack event according to a third embodiment of the present invention;
Fig. 4 is a schematic structural diagram of a honeypot system in the fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a method for detecting a social engineering attack event in an embodiment of the present invention, where the embodiment is applicable to a case of detecting a social engineering attack event, and the method may be performed by a device for detecting a social engineering attack event, where the device may be implemented by software and/or hardware, and may be generally integrated in a honeypot system. As shown in fig. 1, the method includes:
step 110, capturing network attack events.
The honeypot system is essentially a technology for cheating an attacker, and the attacker is induced to attack the host, network service or information serving as bait by arranging the host, the network service or the information, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, and the attack intention and motivation are presumed, so that the safety protection capability of a defender is enhanced.
In the embodiment of the invention, the honeypot system can be deployed at different geographic positions of the whole network to form a distributed honeypot network, so that the network attack event can be captured in a large-scale network environment, and the detection range of the social engineering attack event is further expanded. The cyber attack events captured by the honeypot system can include traditional cyber attack events as well as social engineering attack events. The traditional network attack only carries out technical malicious attack on an attacked, and the social engineering attack firstly acquires relevant information of the attacked by using a humanized weak point or establishes a certain social relationship with the attacked, and then carries out malicious network attack on the attacked by using the acquired information or the established social relationship, thereby acquiring valuable information from the attacked.
In the embodiment of the invention, the honeypot system is a real computer system and provides a complete operating system and services, the operating system covers a Windows system, a Mac iOS system and a Linux system, and the services comprise WeChat, QQ, Aliwang, mail system and the like. The honeypot system is arranged by copying the real computer environment to the appointed computer, so that the aim of avoiding damage to the real computer environment when the honeypot system is broken is fulfilled.
And step 120, performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base.
In the embodiment of the invention, the honeypot system is provided with a social engineering knowledge base and a social engineering detection rule base, and after a network attack event is captured, whether the captured network attack event is the social engineering network attack event or not can be analyzed according to the psychology characteristic of a hacker and the characteristic of a social engineering attacker which are included in the social engineering knowledge base and the detection rule of the network attack which is included in the social engineering detection rule base.
Optionally, performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base, which may include: extracting the characteristics of the network attack event to obtain the event characteristics of the network attack event; matching the attacker characteristics included in the event characteristics with a target attacker characteristic set included in a social engineering knowledge base; and/or matching the psychological characteristics included in the event characteristics with a target psychological characteristic set included in a social engineering knowledge base, and matching the technical characteristics included in the event characteristics with a detection rule set included in a social engineering detection rule base.
In the embodiment of the invention, the event characteristics can comprise psychological characteristics, attacker characteristics and technical characteristics. When analyzing the captured network attack event, psychological features may be extracted from the network attack event, for example, a horrible feature corresponding to "you are tired of if the link is not opened," a frightening feature corresponding to "open the link can enjoy european free play" or the like; attacker features, such as attacker ID, attacker IP address, etc., may be extracted from the network attack event; and, relevant technical features, such as links, mails, etc. carried in the network attack event, can be extracted from the network attack event.
Considering that the social engineering network attack event can be directly judged according to the characteristics of the social engineering attacker, namely the characteristics of the target attacker, the acquired characteristics of the attacker can be matched with the characteristic set of the target attacker in the social engineering knowledge base so as to analyze whether the current network attack event is the social engineering network attack event or not; meanwhile, whether the current network attack event is the social engineering network attack event or not can be judged by combining the psychological characteristics and the technical characteristics of the current network attack event, so that the psychological characteristics are matched with a target psychological characteristic set included in a social engineering knowledge base, and the technical characteristics included in the event characteristics are matched with a detection rule set included in a social engineering detection rule base.
Optionally, the target psychological characteristic set at least includes: a horror feature, a decoy feature, a fear feature, a curiosity feature, a trust feature, a greedy feature, a sympathy feature, a guilt feature, and an authority feature.
The detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, Trojan detection rules, virus detection rules, and back door program detection rules.
It should be noted that, in the embodiment of the present invention, the target psychology feature set combination does not only include the above-mentioned psychology features, the detection rule set does not include only the above-mentioned detection rules, and both the target psychology feature set and the detection rule set can be updated and refined along with the learning of the determined social engineering attack event.
In the embodiment of the invention, the honeypot system is provided with the social engineering knowledge base and the social engineering detection rule base, so that the honeypot system can accurately judge whether the captured network attack event is the social engineering attack event from the human and technical safety aspects, and the detection accuracy of the honeypot system on the social engineering attack event is improved.
And step 130, determining whether the network attack event is a social engineering attack event or not according to the matching result.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result may include: if the attacker characteristics included in the event characteristics belong to a target attacker characteristic set included in a social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rules matched with the technical characteristics included in the event characteristics exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is the social engineering attack event.
In the embodiment of the present invention, if the attacker characteristic of the current network attack event is consistent with a certain target attacker characteristic in the target attacker characteristic set, for example, the IP address of the attacker of the current network attack event is the same as the IP address of a certain target attacker, the current network attack event is considered to be also a social engineering network attack event initiated by the target attacker, and if no characteristic in the target attacker characteristic set is the same as the attacker characteristic of the current network attack event, the current network attack event is considered not necessarily to be the social engineering attack event, and further determination is required. At this time, if at least one psychological characteristic belonging to the target psychological characteristic set exists in the psychological characteristics of the current network attack event, and a target detection rule matching the technical characteristics of the current network attack event exists in the detection rule set, for example, a link in the current network attack event hits a malicious link detection rule in the detection rule set, the network attack event is determined to be a social engineering attack event.
In the embodiment of the invention, the social engineering attack event is judged according to the combination of the psychological characteristic and the technical characteristic, and the social engineering attack event is judged according to the characteristic of the attacker, so that the execution sequence of the social engineering attack event and the social engineering attack event can be changed, and whether the current network attack event is the social engineering attack event can be judged by adopting one mode according to the requirement.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result may include: and if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rule matched with the technical characteristics included in the event characteristics does not exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a suspected social engineering attack event.
In the embodiment of the invention, when a mode of combining psychological characteristics and technical characteristics is adopted to judge the social engineering attack event, if at least one psychological characteristic belonging to a target psychological characteristic set exists in the psychological characteristics of the current network attack event, but the technical characteristics of the current network attack event are not matched with any target detection rule in a detection rule set, the current network attack event is considered to be a suspected social engineering attack event, and further analysis and judgment are needed.
According to the technical scheme of the embodiment of the invention, a honeypot system captures a network attack event; performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base; according to the matching result, whether the network attack event is the social engineering attack event or not is determined, the problem that the traditional safety detection tool in the prior art cannot effectively detect the social engineering attack event is solved, and the social engineering attack event can be efficiently and accurately detected.
Example two
Fig. 2 is a schematic structural diagram of a detection apparatus for a social engineering attack event in the second embodiment of the present invention. The present embodiment may be applicable to the case of detecting a social engineering attack event, which may be implemented by software and/or hardware and may be generally integrated in a honeypot system. As shown in fig. 2, the device is applied to a honeypot system, and comprises:
a capturing module 210, configured to capture a network attack event;
the matching module 220 is used for performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base;
and the determining module 230 is configured to determine whether the network attack event is a social engineering attack event according to the matching result.
According to the technical scheme of the embodiment of the invention, a honeypot system captures a network attack event; performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base; according to the matching result, whether the network attack event is the social engineering attack event or not is determined, the problem that the traditional safety detection tool in the prior art cannot effectively detect the social engineering attack event is solved, and the social engineering attack event can be efficiently and accurately detected.
Optionally, the matching module 220 is specifically configured to:
extracting the characteristics of the network attack event to obtain the event characteristics of the network attack event; matching the attacker characteristics included in the event characteristics with a target attacker characteristic set included in a social engineering knowledge base; and/or
And matching the psychological characteristics included in the event characteristics with a target psychological characteristic set included in a social engineering knowledge base, and matching the technical characteristics included in the event characteristics with a detection rule set included in a social engineering detection rule base.
Optionally, the determining module 230 is specifically configured to:
if the attacker characteristics included in the event characteristics belong to a target attacker characteristic set included in a social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or
And if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rule matched with the technical characteristics included in the event characteristics exists in the detection rule set included in the social engineering detection rule base, determining that the network attack event is the social engineering attack event.
Optionally, the determining module 230 is specifically configured to:
and if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rule matched with the technical characteristics included in the event characteristics does not exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a suspected social engineering attack event.
Optionally, the target psychological characteristic set at least includes: a horror feature, a decoy feature, a fear feature, a curiosity feature, a trust feature, a greedy feature, a sympathy feature, a guilt feature, and an authority feature;
the detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, Trojan detection rules, virus detection rules, and back door program detection rules.
The detection device for the social engineering attack event provided by the embodiment of the invention can execute the detection method for the social engineering attack event applied to the honeypot system provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE III
Fig. 3a is a schematic structural diagram of a system for detecting a social engineering attack event in a third embodiment of the present invention, and this embodiment is applicable to a case of detecting a social engineering attack event. As shown in fig. 3a, the system comprises: a predetermined number of honeypot systems 310, controllers 320, event analysis systems 330, and data storage systems 340;
honeypot system 310 for capturing network attack events; performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base; determining whether the network attack event is a social engineering attack event according to the matching result, and transmitting the detected social engineering attack event to the controller 320;
the controller 320 is configured to store the social engineering attack events sent by each honeypot system 310 in the data storage system 340, and issue event analysis instructions corresponding to the social engineering attack events to the event analysis system 330;
the event analysis system 330 is configured to perform association analysis on each social engineering attack event matched with the current event analysis instruction, and update the social engineering knowledge base and the social engineering detection rule base included in the data storage system 340 according to an association analysis result.
In the embodiment of the invention, the honeypot systems are deployed in the whole network range, the network attack event is captured in a large-scale network environment, and the real social engineering attack behavior is detected by gathering, analyzing and correlating the data captured by the honeypot systems.
In the embodiment of the present invention, as shown in fig. 3b, the detecting system deploys the honeypot systems 310 at different geographical locations in the whole network, so that at least one honeypot system is guaranteed nationwide, that is, the formed distributed honeypot network includes at least 31 honeypot systems 310. Moreover, each honeypot system 310 has the same system environment, and is configured with the same social engineering knowledge base and social engineering detection rule base.
In the embodiment of the present invention, as shown in fig. 3b, the honeypot system 310 can capture various received cyber attack events, perform feature matching on the captured cyber attack events by using the social engineering knowledge base and the social engineering detection rule base, detect whether the captured cyber attack events are the socio-engineering attack events with socio-engineering features, and report the detected socio-engineering attack events to the controller 320. The honeypot system 310 can also receive instructions and data issued by the controller 320 and be controlled by the controller 320.
The events reported by the deployed distributed honeypot system 310 to the controller 320 include multiple types, for example, when the social engineering attack event is a phishing mail, the reported content includes event time, mail sender, mail receiver, mail body, mail attachment and the like, and when the social engineering attack event is an instant communication message, the reported content includes event time, communication tool type, message sender ID, message receiver ID, message content, message attachment and the like.
Optionally, the honeypot system 310 is specifically configured to: extracting the characteristics of the network attack event to obtain the event characteristics of the network attack event; matching the attacker characteristics included in the event characteristics with a target attacker characteristic set included in a social engineering knowledge base; and/or matching the psychological characteristics included in the event characteristics with a target psychological characteristic set included in a social engineering knowledge base, and matching the technical characteristics included in the event characteristics with a detection rule set included in a social engineering detection rule base.
Optionally, the honeypot system 310 is specifically configured to: if the attacker characteristics included in the event characteristics belong to a target attacker characteristic set included in a social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or determining the network attack event as a social engineering attack event if the psychological features belonging to the target psychological feature set exist in the event features and the target detection rules matched with the technical features included in the event features exist in the detection rule set included in the social engineering detection rule base.
Optionally, the target psychological characteristic set at least includes: a horror feature, a decoy feature, a fear feature, a curiosity feature, a trust feature, a greedy feature, a sympathy feature, a guilt feature, and an authority feature; the detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, Trojan detection rules, virus detection rules, and back door program detection rules.
In the embodiment of the present invention, the controller 320 is a central hub of the whole detection system, and functions to connect the honeypot system 310, the event analysis system 330, the data storage system 340, and other components. The controller 320 may issue an instruction to the honeypot system 310, synchronize data, receive a social engineering attack event reported by the honeypot system 310, store the event data in the data storage system 340, and issue an event analysis instruction to the event analysis system 330, so that the event analysis system 330 further analyzes the event, as shown in fig. 3 b. The controller 320 also provides a visual operation interface to the user to facilitate the user to perform data lookup, system configuration, and the like.
In the embodiment of the present invention, after receiving the event analysis instruction issued by the controller 320, the event analysis system 330 classifies and counts the social engineering attack events reported by the honeypot system 310, obtains the proportion of each psychological characteristic in the event, and mines the association relationship hidden between the data items from the event data of the social engineering attack event and the event data stored in the data storage system 340 by using the association rule. For example, if the social engineering attack event includes an attraction feature and a threatening feature, the association degree between the attraction feature and the threatening feature may be mined. Then, according to the specific gravity of each psychological feature and the degree of association between features, the social engineering knowledge base and the social engineering detection rule base in all the honeypot systems 310 are updated, for example, a new feature or a feature association relationship is added to the social engineering knowledge base, and a detection rule corresponding to the new feature is added to the social engineering detection rule base, so that the accuracy of detecting the social engineering attack event is improved.
In this embodiment of the present invention, the event analysis system 330 may further check whether the other honeypot systems 310 also detect the social engineering attack event after receiving the event analysis instruction issued by the controller 320, and if so, obtain data of the social engineering attack event detected by the other honeypot systems, and perform association analysis with data of the attack event reported by the current honeypot system, for example, may perform analysis from the angles of the attack range of the event, the number of attackers, and the like, so as to determine that the event is a higher probability of social engineering attack.
In the embodiment of the present invention, the data storage system 340 may provide access services for all data in the detection system, including data such as social engineering knowledge, social engineering detection rules, social engineering attack events, and network attack events. The data storage system 340 also provides data reading and writing services to meet the writing and reading requirements of the controller 320 and the event analysis system 330 on various types of data.
In the embodiment of the present invention, the event analysis system 330 may also perform preprocessing on the data of the network attack event captured by the honeypot system 310 after the honeypot system 310 captures the network attack event, and remove incomplete, inconsistent or abnormal event data therein, so that the honeypot system 310 only analyzes the screened network attack event, and the efficiency of the honeypot system in detecting the network attack event is improved.
Optionally, the honeypot system 310 is further configured to send the detected suspected social engineering attack event to the controller 320;
the controller 320 is further configured to store the suspected social engineering attack event sent by the honeypot system 310 in the data storage system 340, and issue an event type determination instruction corresponding to the suspected social engineering attack event to the event analysis system 330;
the event analysis system 330 is further configured to perform feature classification statistics on the suspected social engineering attack event matched with the current event type judgment instruction, determine that the suspected social engineering attack event is a social engineering attack event if a feature statistic value is greater than a preset threshold value, and otherwise determine that the suspected social engineering attack event is another type of network attack event.
In the embodiment of the present invention, when the honeypot system 310 determines a social engineering attack event by combining psychological characteristics and technical characteristics, if at least one psychological characteristic belonging to a target psychological characteristic set exists in the psychological characteristics of a current cyber attack event, but the technical characteristics of the current cyber attack event do not match any target detection rule in a detection rule set, the current cyber attack event is considered to be a suspected social engineering attack event with social engineering characteristics, and further analysis and determination are required. At this time, the honeypot system 310 reports the suspected social engineering attack event to the controller 320, so as to further determine whether the event is a social engineering attack event by the controller 320 calling the event analysis system 330. It should be noted that the honeypot system 310 directly performs the discarding operation on the cyber attack event without social engineering characteristics.
In the embodiment of the present invention, after receiving an event type determination instruction corresponding to a suspected social engineering attack event issued by the controller 320, the event analysis system 330 performs feature classification statistics on the suspected social engineering attack event matched with the current event type determination instruction, determines that the suspected social engineering attack event is a social engineering attack event when a feature statistic value is greater than a preset threshold value, and determines that the suspected social engineering attack event is another type of network attack event when the feature statistic value is less than or equal to the preset threshold value. For example, if the preset threshold of the social engineering attack is determined to be 4, and there are 3 psychological features included in the suspected social engineering attack event, that is, the feature statistic is 3, the suspected social engineering attack event is determined to be another type of network attack event.
In order to avoid misjudgment and missed judgment of the honeypot system 310 on the attack event, the event analysis system 330 may also judge the social engineering attack event according to a combination of psychological characteristics and technical characteristics, and judge the social engineering attack event according to an attacker characteristic.
Optionally, the event analysis system 330 is further configured to add a social engineering attack identity to each social engineering attack event in the data storage system 340.
In this embodiment of the present invention, as shown in fig. 3b, the event analysis system 330 may further add, according to the type of the attack event, an identifier of a social engineering attack to the social engineering attack event stored in the data storage system 340, and add an identifier of another type of network attack to another type of attack event, for example, add an identifier of a conventional network attack to a conventional network attack event.
Optionally, honeypot system 310 includes a high interaction honeypot system.
In the embodiment of the present invention, the honeypot system 310 is a high-interaction honeypot system, that is, a real operating system and a real service are used as the honeypot system, which can interact with an attacker, and can read and write a program to capture more comprehensive attack information.
The technical scheme of the embodiment of the invention realizes multi-node and wide-dimension detection of social engineering attack in a large-scale network environment by deploying honeypot systems at different geographic positions of the whole network, captures network attack events through the honeypot systems, analyzes and judges the captured network attack events, reports the network attack events determined as the social engineering attack events to the controller, stores the data of the events into the data storage system by the controller, and schedules the event analysis system to correlate and analyze the event data in the data storage system so as to perfect and update the social engineering knowledge base and the social engineering detection rule base in the honeypot systems, thereby further improving the accuracy of the social engineering attack detection.
Example four
Fig. 4 is a schematic structural diagram of a honeypot system in the fourth embodiment of the present invention. FIG. 4 illustrates a block diagram of an exemplary honeypot system 12 suitable for use in implementing embodiments of the present invention. The honeypot system 12 shown in FIG. 4 is only an example and should not impose any limitations on the functionality or scope of use of embodiments of the present invention.
As shown in FIG. 4, the honeypot system 12 is in the form of a general purpose computing device. The components of the honeypot system 12 can include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Honeypot system 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by the honeypot system 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. The honeypot system 12 can further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
The honeypot system 12 can also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with the honeypot system 12, and/or with any devices (e.g., network card, modem, etc.) that enable the honeypot system 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the honeypot system 12 can communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with the other modules of the honeypot system 12 over the bus 18. It should be appreciated that, although not shown in the figures, other hardware and/or software modules may be used in conjunction with the honeypot system 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by running programs stored in the system memory 28, for example, implementing the method for detecting social engineering attack events applied to honeypot systems provided by the embodiment of the present invention.
Namely: the method for detecting the social engineering attack event is applied to a honeypot system and comprises the following steps: acquiring a network attack event; performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base; and determining whether the network attack event is a social engineering attack event or not according to the matching result.
EXAMPLE five
The fifth embodiment of the present invention further discloses a computer storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for detecting a social engineering attack event applied to a honeypot system is implemented, including:
capturing a network attack event;
performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base;
and determining whether the network attack event is a social engineering attack event or not according to the matching result.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. For example, the computer-readable storage medium may be, but is not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A detection method of a social engineering attack event is applied to a honeypot system and comprises the following steps:
capturing a network attack event;
performing feature matching on the network attack event according to a social engineering knowledge base and a social engineering detection rule base;
and determining whether the network attack event is a social engineering attack event or not according to the matching result.
2. The method of claim 1, wherein performing feature matching on the cyber attack event according to a social engineering knowledge base and a social engineering detection rule base comprises:
Extracting the characteristics of the network attack event to obtain the event characteristics of the network attack event;
matching the attacker characteristics included in the event characteristics with a target attacker characteristic set included in the social engineering knowledge base; and/or
And matching the psychological characteristics included in the event characteristics with a target psychological characteristic set included in the social engineering knowledge base, and matching the technical characteristics included in the event characteristics with a detection rule set included in the social engineering detection rule base.
3. The method of claim 2, wherein determining whether the cyber-attack event is a social engineering attack event according to the matching result comprises:
if the attacker characteristics included in the event characteristics belong to a target attacker characteristic set included in the social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or
And if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rule matched with the technical characteristics included in the event characteristics exists in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a social engineering attack event.
4. The method of claim 2, wherein determining whether the cyber-attack event is a social engineering attack event according to the matching result comprises:
and if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics and the target detection rule matched with the technical characteristics included in the event characteristics does not exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a suspected social engineering attack event.
5. The method according to claim 2, characterized in that said set of target psychological features comprises at least: a horror feature, a decoy feature, a fear feature, a curiosity feature, a trust feature, a greedy feature, a sympathy feature, a guilt feature, and an authority feature;
the set of detection rules at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, Trojan detection rules, virus detection rules, and back door program detection rules.
6. The utility model provides a detection device of social engineering attack event which is characterized in that, is applied to honeypot system, includes:
the acquisition module is used for acquiring a network attack event;
The matching module is used for performing feature matching on the network attack event according to a social engineering knowledge base and a social engineering detection rule base;
and the determining module is used for determining whether the network attack event is a social engineering attack event or not according to the matching result.
7. A system for detecting a socio-engineering attack event, comprising: the honeypot system comprises honeypot systems, controllers, event analysis systems and data storage systems in preset quantity;
the honeypot system, which is used for executing the detection method of the social engineering attack event according to any one of claims 1-5 and sending the detected social engineering attack event to the controller;
the controller is used for storing the social engineering attack events sent by each honeypot system to the data storage system and issuing event analysis instructions corresponding to the social engineering attack events to the event analysis system;
and the event analysis system is used for performing correlation analysis on each social engineering attack event matched with the current event analysis instruction and updating a social engineering knowledge base and a social engineering detection rule base which are included in the data storage system according to a correlation analysis result.
8. The system of claim 7,
the honeypot system is also used for sending the detected suspected social engineering attack event to the controller;
the controller is also used for storing a suspected social engineering attack event sent by the honeypot system into a data storage system and sending an event type judgment instruction corresponding to the suspected social engineering attack event to the event analysis system;
the event analysis system is further used for carrying out feature classification statistics on the suspected social engineering attack event matched with the current event type judgment instruction, if the feature statistical value is larger than a preset threshold value, the suspected social engineering attack event is determined to be the social engineering attack event, and otherwise, the suspected social engineering attack event is determined to be other types of network attack events.
9. The system of claim 8,
the event analysis system is also used for adding social engineering attack identifications to all social engineering attack events in the data storage system.
10. The system of claim 7, wherein the honeypot system comprises a high interaction honeypot system.
CN202010698590.5A 2020-07-20 2020-07-20 Method, device and system for detecting social engineering attack event Active CN111859374B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010698590.5A CN111859374B (en) 2020-07-20 2020-07-20 Method, device and system for detecting social engineering attack event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010698590.5A CN111859374B (en) 2020-07-20 2020-07-20 Method, device and system for detecting social engineering attack event

Publications (2)

Publication Number Publication Date
CN111859374A true CN111859374A (en) 2020-10-30
CN111859374B CN111859374B (en) 2024-03-19

Family

ID=73001133

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010698590.5A Active CN111859374B (en) 2020-07-20 2020-07-20 Method, device and system for detecting social engineering attack event

Country Status (1)

Country Link
CN (1) CN111859374B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113141347A (en) * 2021-03-16 2021-07-20 中国科学院信息工程研究所 Social work information protection method and device, electronic equipment and storage medium
CN113381981A (en) * 2021-05-13 2021-09-10 中国科学院信息工程研究所 Social attack stress transformation protection method and system, electronic device and storage medium
CN114553481A (en) * 2022-01-17 2022-05-27 重庆邮电大学 Network attack event prediction and optimal active defense strategy selection system

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120096553A1 (en) * 2010-10-19 2012-04-19 Manoj Kumar Srivastava Social Engineering Protection Appliance
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
CN103530561A (en) * 2013-10-21 2014-01-22 北京奇虎科技有限公司 Method and device for preventing attacks of Trojan horse programs based on social engineering
CN104852916A (en) * 2015-05-08 2015-08-19 西安石油大学 Social engineering-based webpage verification code recognition method and system
CN106470188A (en) * 2015-08-18 2017-03-01 中国电信股份有限公司 The detection method of security threat, device and security gateway
CN108183888A (en) * 2017-12-15 2018-06-19 恒安嘉新(北京)科技股份公司 A kind of social engineering Network Intrusion path detection method based on random forests algorithm
CN109450929A (en) * 2018-12-13 2019-03-08 成都亚信网络安全产业技术研究院有限公司 A kind of safety detection method and device
CN110290155A (en) * 2019-07-23 2019-09-27 北京邮电大学 The defence method and device of social engineering attack
CN110300054A (en) * 2019-07-03 2019-10-01 论客科技(广州)有限公司 The recognition methods of malice fishing mail and device
CN111131166A (en) * 2019-11-28 2020-05-08 重庆小雨点小额贷款有限公司 User behavior prejudging method and related equipment
CN111147489A (en) * 2019-12-26 2020-05-12 中国科学院信息工程研究所 Link camouflage-oriented fishfork attack mail discovery method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120096553A1 (en) * 2010-10-19 2012-04-19 Manoj Kumar Srivastava Social Engineering Protection Appliance
CN102739647A (en) * 2012-05-23 2012-10-17 国家计算机网络与信息安全管理中心 High-interaction honeypot based network security system and implementation method thereof
CN103530561A (en) * 2013-10-21 2014-01-22 北京奇虎科技有限公司 Method and device for preventing attacks of Trojan horse programs based on social engineering
CN104852916A (en) * 2015-05-08 2015-08-19 西安石油大学 Social engineering-based webpage verification code recognition method and system
CN106470188A (en) * 2015-08-18 2017-03-01 中国电信股份有限公司 The detection method of security threat, device and security gateway
CN108183888A (en) * 2017-12-15 2018-06-19 恒安嘉新(北京)科技股份公司 A kind of social engineering Network Intrusion path detection method based on random forests algorithm
CN109450929A (en) * 2018-12-13 2019-03-08 成都亚信网络安全产业技术研究院有限公司 A kind of safety detection method and device
CN110300054A (en) * 2019-07-03 2019-10-01 论客科技(广州)有限公司 The recognition methods of malice fishing mail and device
CN110290155A (en) * 2019-07-23 2019-09-27 北京邮电大学 The defence method and device of social engineering attack
CN111131166A (en) * 2019-11-28 2020-05-08 重庆小雨点小额贷款有限公司 User behavior prejudging method and related equipment
CN111147489A (en) * 2019-12-26 2020-05-12 中国科学院信息工程研究所 Link camouflage-oriented fishfork attack mail discovery method and device

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
MUHAMMAD ADIL等: "Preventive Techniques of Phishing Attacks in Networks", 《2020 3RD INTERNATIONAL CONFERENCE ON ADVANCEMENTS IN COMPUTATIONAL SCIENCES (ICACS)》, pages 1 - 8 *
冯福伟等: "一种安全高效的组合密钥技术在VoIP上的应用研究", 《计算机与数字工程》, vol. 43, no. 12, pages 2221 - 2228 *
吴晓平等: "防范高级持续性威胁的军事信息系统安全框架研究", 《海军工程大学学报(综合版)》, vol. 13, no. 02, 15 June 2016 (2016-06-15), pages 30 - 35 *
马明阳等: "基于朴素贝叶斯分类器的社会工程学邮件检测", 《第十九届全国青年通信学术年会论文集》 *
黄殿中等: "基于大数据环境的多模态信息隐藏新体系", 《电子学报》, vol. 45, no. 02, pages 477 - 484 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113141347A (en) * 2021-03-16 2021-07-20 中国科学院信息工程研究所 Social work information protection method and device, electronic equipment and storage medium
CN113381981A (en) * 2021-05-13 2021-09-10 中国科学院信息工程研究所 Social attack stress transformation protection method and system, electronic device and storage medium
CN113381981B (en) * 2021-05-13 2023-02-21 中国科学院信息工程研究所 Social attack stress transformation protection method and system, electronic device and storage medium
CN114553481A (en) * 2022-01-17 2022-05-27 重庆邮电大学 Network attack event prediction and optimal active defense strategy selection system

Also Published As

Publication number Publication date
CN111859374B (en) 2024-03-19

Similar Documents

Publication Publication Date Title
US10218740B1 (en) Fuzzy hash of behavioral results
US10735458B1 (en) Detection center to detect targeted malware
US10467411B1 (en) System and method for generating a malware identifier
KR101890272B1 (en) Automated verification method of security event and automated verification apparatus of security event
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
EP3254224B1 (en) Global clustering of incidents based on malware similarity and online trustfulness
EP2106085B1 (en) System and method for securing a network from zero-day vulnerability exploits
US9106692B2 (en) System and method for advanced malware analysis
CN107070929A (en) A kind of industry control network honey pot system
CN112383538B (en) Hybrid high-interaction industrial honeypot system and method
CN108183888B (en) Social engineering intrusion attack path detection method based on random forest algorithm
CN111859374B (en) Method, device and system for detecting social engineering attack event
CN110519150B (en) Mail detection method, device, equipment, system and computer readable storage medium
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
KR101991737B1 (en) Visualization method and visualization apparatus
CN104363240A (en) Unknown threat comprehensive detection method based on information flow behavior validity detection
CN110149318B (en) Mail metadata processing method and device, storage medium and electronic device
CN110750788A (en) Virus file detection method based on high-interaction honeypot technology
CN106911665B (en) Method and system for identifying malicious code weak password intrusion behavior
US11924228B2 (en) Messaging server credentials exfiltration based malware threat assessment and mitigation
CN112751861A (en) Malicious mail detection method and system based on dense network and network big data
KR101991736B1 (en) Correlation visualization method and correlation visualization apparatus
US11811815B2 (en) IP-based security control method and system thereof
CN114697049B (en) WebShell detection method and device
Deraman et al. Public domain datasets for optimizing network intrusion and machine learning approaches

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant