CN111859374B - Method, device and system for detecting social engineering attack event - Google Patents
Method, device and system for detecting social engineering attack event Download PDFInfo
- Publication number
- CN111859374B CN111859374B CN202010698590.5A CN202010698590A CN111859374B CN 111859374 B CN111859374 B CN 111859374B CN 202010698590 A CN202010698590 A CN 202010698590A CN 111859374 B CN111859374 B CN 111859374B
- Authority
- CN
- China
- Prior art keywords
- event
- social engineering
- attack event
- attack
- features
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000001514 detection method Methods 0.000 claims abstract description 143
- 238000004458 analytical method Methods 0.000 claims description 43
- 238000013500 data storage Methods 0.000 claims description 23
- 241000700605 Viruses Species 0.000 claims description 7
- 238000012098 association analyses Methods 0.000 claims description 7
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 4
- 235000012907 honey Nutrition 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000005484 gravity Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Abstract
The embodiment of the invention discloses a method, a device and a system for detecting social engineering attack events. The method is applied to a honeypot system and comprises the following steps: capturing network attack events; performing feature matching on the network attack event according to a social engineering knowledge base and a social engineering detection rule base; and determining whether the network attack event is a social engineering attack event according to the matching result. The technical scheme of the embodiment of the invention can realize the efficient and accurate detection of the social engineering attack event.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method, a device and a system for detecting social engineering attack events.
Background
The high-speed popularization of the Internet and the mobile Internet makes the access to the network of the general public easier, and makes the attack to the users by means of phishing websites, mails, social networks and the like become the first choice of the social engineering attacker due to the lack of network security consciousness while people enjoy the Internet for convenience.
Currently, the detection technology for the social engineering attack event is mainly implemented by using a traditional security detection tool, such as an intrusion detection system, a virus detection system, a spam filtering system and the like. However, the conventional security detection tool mainly detects viruses, trojans, worms, botnets, malicious mails, malicious links, malicious websites and the like, and cannot detect information related to people, while the attack target of the social engineering attack is people, and the different poles of the object greatly restrict the detection capability of the conventional detection tool. Secondly, the conventional security detection tool is generally deployed at a specific position of an enterprise and a business system gateway, cannot be suitable for a large-scale network environment, and each detection point is mutually independent and has independent data, so that an attack event is usually evaluated according to the detection result of a certain detection point, and the detection effect of the attack event is poor.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a system for detecting social engineering attack events, which are used for realizing efficient and accurate detection of the social engineering attack events.
In a first aspect, an embodiment of the present invention provides a method for detecting a social engineering attack event, which is applied to a honeypot system, including:
Capturing network attack events;
according to the social engineering knowledge base and the social engineering detection rule base, carrying out feature matching on the network attack event;
and determining whether the network attack event is a social engineering attack event according to the matching result.
Optionally, performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base includes:
extracting features of the network attack event to obtain event features of the network attack event;
matching the attacker features included in the event features with a target attacker feature set included in the social engineering knowledge base; and/or
And matching the psychological characteristics included in the event characteristics with the target psychological characteristics set included in the social engineering knowledge base, and matching the technical characteristics included in the event characteristics with the detection rule set included in the social engineering detection rule base.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result includes:
if the attacker features included in the event features belong to the target attacker feature set included in the social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or
If the event features have psychological features belonging to the target psychological feature set and the detection rules matched with the technical features included in the event features have target detection rules in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a social engineering attack event.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result includes:
if the event features have psychological features belonging to the target psychological feature set and the detection rules matched with the technical features included in the event features do not exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a suspected social engineering attack event.
Optionally, the set of target psychological characteristics includes at least: frightening features, alluring features, fear features, curiosity features, trust features, greedy features, homonymy features, guilt features, and authority features;
the detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, trojan detection rules, virus detection rules, and backdoor program detection rules.
In a second aspect, an embodiment of the present invention further provides a device for detecting a social engineering attack event, which is applied to a honeypot system, including:
the capturing module is used for capturing network attack events;
the matching module is used for carrying out characteristic matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base;
and the determining module is used for determining whether the network attack event is a social engineering attack event according to the matching result.
In a third aspect, an embodiment of the present invention further provides a system for detecting a social engineering attack event, including: a preset number of honeypot systems, a controller, an event analysis system and a data storage system;
the honeypot system is used for executing the method for detecting the social engineering attack event provided by any embodiment of the invention and sending the detected social engineering attack event to the controller;
the controller is used for storing the social engineering attack events sent by each honeypot system to the data storage system and issuing event analysis instructions corresponding to each social engineering attack event to the event analysis system;
and the event analysis system is used for carrying out association analysis on each social engineering attack event matched with the current event analysis instruction, and updating a social engineering knowledge base and a social engineering detection rule base which are included in the data storage system according to association analysis results.
Optionally, the honeypot system is further configured to send the detected suspected socioeconomic attack event to the controller;
the controller is also used for storing the suspected socioeconomic attack event sent by the honeypot system to the data storage system and issuing an event type judgment instruction corresponding to the suspected socioeconomic attack event to the event analysis system;
the event analysis system is also used for carrying out feature classification statistics on the suspected socioeconomic attack event matched with the current event type judgment instruction, if the feature statistics value is larger than a preset threshold value, determining that the suspected socioeconomic attack event is a socioeconomic attack event, otherwise, determining that the suspected socioeconomic attack event is other types of network attack event.
Optionally, the event analysis system is further configured to add a social engineering attack identifier to each social engineering attack event in the data storage system.
Alternatively, the honeypot system comprises a high interaction honeypot system.
In a fourth aspect, embodiments of the present invention further provide a honeypot system, including:
one or more processors;
storage means for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for detecting a social engineering attack event provided by any embodiment of the present invention.
In a fifth aspect, embodiments of the present invention further provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method for detecting a social engineering attack event provided by any of the embodiments of the present invention.
According to the technical scheme, the honeypot system captures network attack events; according to the social engineering knowledge base and the social engineering detection rule base, carrying out feature matching on the network attack event; according to the matching result, whether the network attack event is a social engineering attack event is determined, the problem that the traditional safety detection tool in the prior art cannot effectively detect the social engineering attack event is solved, and the social engineering attack event is effectively and accurately detected.
Drawings
FIG. 1 is a flow chart of a method for detecting a social engineering attack event according to a first embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a social engineering attack event detection device according to a second embodiment of the present invention;
FIG. 3a is a schematic diagram of a system for detecting a social engineering attack event according to a third embodiment of the present invention;
FIG. 3b is a flow chart of a method of detecting a social engineering attack event in accordance with a third embodiment of the present invention;
Fig. 4 is a schematic structural diagram of a honeypot system according to a fourth embodiment of the invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a method for detecting a social engineering attack event according to a first embodiment of the present invention, where the method may be performed by a device for detecting a social engineering attack event, and the device may be implemented by software and/or hardware and may be generally integrated in a honeypot system. As shown in fig. 1, the method includes:
step 110, capturing network attack event.
The honeypot system is essentially a technology for cheating an attacker, and by arranging a host, network service or information serving as a bait, the attacker is induced to attack the honeypot system, so that the attack behavior can be captured and analyzed, tools and methods used by the attacker are known, and the attack intention and motivation are presumed, so that the safety protection capability of the defender is enhanced.
In the embodiment of the invention, the honeypot system can be deployed at different geographic positions of the whole network to form a distributed honeypot network, so as to capture network attack events in a large-scale network environment and further enlarge the detection range of social engineering attack events. The cyber attack event captured by the honeypot system may include a conventional cyber attack event and a socioeconomic attack event. The traditional network attack only carries out technical malicious attack on the attacked person, while the social engineering attack firstly utilizes the humanized weakness to acquire the related information of the attacked person or establishes a certain social relationship with the attacked person, and then carries out the malicious network attack on the attacked person by utilizing the acquired information or the established social relationship, thereby acquiring valuable information from the attacked person.
In the embodiment of the invention, the honeypot system is a real computer system and provides a complete operating system and services, wherein the operating system comprises a Windows system, a Mac iOS system and a Linux system, and the services comprise WeChat, QQ, arwang and mail systems and the like. The honey pot system is arranged by copying the real computer environment to the appointed computer, so that the aim of avoiding damage to the real computer environment when the honey pot system is broken is achieved.
And 120, performing feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base.
In the embodiment of the invention, the honeypot system is configured with a social engineering knowledge base and a social engineering detection rule base, and after the network attack event is captured, whether the captured network attack event is a social engineering network attack event can be analyzed according to the psychological characteristics of a hacker, the characteristics of a social engineering attacker and the detection rules of the network attack included in the social engineering detection rule base.
Optionally, the feature matching for the network attack event according to the social engineering knowledge base and the social engineering detection rule base may include: extracting features of the network attack event to obtain event features of the network attack event; matching the attacker features included in the event features with a target attacker feature set included in the social engineering knowledge base; and/or matching the psychological features included in the event features with the set of target psychological features included in the social engineering knowledge base, and matching the technical features included in the event features with the set of detection rules included in the social engineering detection rules base.
In embodiments of the present invention, event features may include psychological features, attacker features, and technical features. When analyzing the captured cyber attack event, psychological features may be extracted from the cyber attack event, such as a frightening feature corresponding to "let you be tired if a link is not opened", a tempting feature corresponding to "open a link can share three-day free trip in europe", and the like; the attacker characteristics, e.g., attacker ID, attacker IP address, etc., may be extracted from the network attack event; and, relevant technical features, such as links, mails, etc. carried in the network attack event, may be extracted from the network attack event.
Considering that the social engineering network attack event can be directly judged according to the social engineering attacker characteristics, namely the target attacker characteristics, the acquired attacker characteristics can be matched with the target attacker characteristics set included in the social engineering knowledge base so as to analyze whether the current network attack event is the social engineering network attack event or not; meanwhile, whether the current network attack event is a social engineering network attack event can be judged by combining the psychological characteristics and the technical characteristics of the current network attack event, so that the psychological characteristics are matched with a target psychological characteristic set included in a social engineering knowledge base, and the technical characteristics included in the event characteristics are matched with a detection rule set included in a social engineering detection rule base.
Optionally, the set of target psychological characteristics includes at least: frightening features, temptation features, fear features, curiosity features, trust features, greedy features, homonymy features, guilt features, and authority features.
The detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, trojan detection rules, virus detection rules, and backdoor program detection rules.
It should be noted that, in the embodiment of the present invention, the target psychological characteristic set does not only include the above psychological characteristics, the detection rule set does not only include the above detection rules, and both the target psychological characteristic set and the detection rule set may be updated and perfected along with learning the determined socioeconomic attack event.
In the embodiment of the invention, the honey system is provided with the social engineering knowledge base and the social engineering detection rule base, so that the honey system can accurately judge whether the captured network attack event is a social engineering attack event from the humanization angle and the technical safety angle, and the detection accuracy of the honey system on the social engineering attack event is improved.
And 130, determining whether the network attack event is a social engineering attack event according to the matching result.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result may include: if the attacker features included in the event features belong to the target attacker feature set included in the social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics, and the target detection rules matched with the technical characteristics included in the event characteristics exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is the social engineering attack event.
In the embodiment of the invention, if the characteristic of the attacker of the current network attack event is consistent with the characteristic of a certain target attacker in the target attacker characteristic set, for example, the IP address of the attacker of the current network attack event is the same as the IP address of a certain target attacker, the current network attack event is considered to be the social engineering network attack event initiated by the target attacker, and if no characteristic in the target attacker characteristic set is the same as the characteristic of the attacker of the current network attack event, the current network attack event is considered to be not necessarily the social engineering attack event, and further judgment is needed. At this time, if at least one of the psychological characteristics belonging to the set of target psychological characteristics exists in the psychological characteristics of the current network attack event, and a target detection rule matching the technical characteristics of the current network attack event exists in the detection rule set, for example, a malicious link detection rule in the link hit detection rule set in the current network attack event, the network attack event is determined to be a social engineering attack event.
In the embodiment of the invention, the social engineering attack event is judged according to the combination of the psychological characteristics and the technical characteristics, the social engineering attack event is judged according to the characteristics of the attacker, the execution sequence of the social engineering attack event and the social engineering attack event is not in sequence, and the execution sequence of the social engineering attack event and the social engineering attack event can be exchanged, or whether the current network attack event is the social engineering attack event can be judged according to the requirement by adopting only one mode.
Optionally, determining whether the network attack event is a social engineering attack event according to the matching result may include: if the event features have psychological features belonging to the target psychological feature set and the detection rules matched with the technical features included in the event features do not exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a suspected social engineering attack event.
In the embodiment of the invention, when the social engineering attack event is judged by adopting a mode of combining the psychological characteristics and the technical characteristics, if at least one psychological characteristic belonging to the target psychological characteristic set exists in the psychological characteristics of the current network attack event, but the technical characteristics of the current network attack event are not matched with any target detection rule in the detection rule set, the current network attack event is considered to be a suspected social engineering attack event, and further analysis and judgment are needed.
According to the technical scheme, the honeypot system captures network attack events; according to the social engineering knowledge base and the social engineering detection rule base, carrying out feature matching on the network attack event; according to the matching result, whether the network attack event is a social engineering attack event is determined, the problem that the traditional safety detection tool in the prior art cannot effectively detect the social engineering attack event is solved, and the social engineering attack event is effectively and accurately detected.
Example two
Fig. 2 is a schematic structural diagram of a social engineering attack event detection device according to a second embodiment of the present invention. The present embodiments are applicable to detecting socioeconomic attack events, and the device may be implemented in software and/or hardware and may be integrated in a honeypot system in general. As shown in fig. 2, the device is applied to a honeypot system, and comprises:
a capturing module 210, configured to capture a network attack event;
the matching module 220 is configured to perform feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base;
a determining module 230, configured to determine whether the network attack event is a social engineering attack event according to the matching result.
According to the technical scheme, the honeypot system captures network attack events; according to the social engineering knowledge base and the social engineering detection rule base, carrying out feature matching on the network attack event; according to the matching result, whether the network attack event is a social engineering attack event is determined, the problem that the traditional safety detection tool in the prior art cannot effectively detect the social engineering attack event is solved, and the social engineering attack event is effectively and accurately detected.
Optionally, the matching module 220 is specifically configured to:
extracting features of the network attack event to obtain event features of the network attack event; matching the attacker features included in the event features with a target attacker feature set included in the social engineering knowledge base; and/or
And matching the psychological characteristics included in the event characteristics with the target psychological characteristics set included in the social engineering knowledge base, and matching the technical characteristics included in the event characteristics with the detection rule set included in the social engineering detection rule base.
Optionally, the determining module 230 is specifically configured to:
if the attacker features included in the event features belong to the target attacker feature set included in the social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or
If the event features have psychological features belonging to the target psychological feature set and the detection rules matched with the technical features included in the event features have target detection rules in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a social engineering attack event.
Optionally, the determining module 230 is specifically configured to:
if the event features have psychological features belonging to the target psychological feature set and the detection rules matched with the technical features included in the event features do not exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a suspected social engineering attack event.
Optionally, the set of target psychological characteristics includes at least: frightening features, alluring features, fear features, curiosity features, trust features, greedy features, homonymy features, guilt features, and authority features;
the detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, trojan detection rules, virus detection rules, and backdoor program detection rules.
The social engineering attack event detection device provided by the embodiment of the invention can execute the social engineering attack event detection method applied to the honeypot system provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example III
Fig. 3a is a schematic structural diagram of a system for detecting a social engineering attack event according to a third embodiment of the present invention, and the present embodiment is applicable to a case of detecting a social engineering attack event. As shown in fig. 3a, the system comprises: a preset number of honeypot systems 310, a controller 320, an event analysis system 330, and a data storage system 340;
a honeypot system 310 for capturing network attack events; according to the social engineering knowledge base and the social engineering detection rule base, carrying out feature matching on the network attack event; determining whether the network attack event is a social engineering attack event according to the matching result, and transmitting the detected social engineering attack event to the controller 320;
a controller 320, configured to store the social engineering attack events sent by each honeypot system 310 to the data storage system 340, and issue an event analysis instruction corresponding to each social engineering attack event to the event analysis system 330;
the event analysis system 330 is configured to perform association analysis on each social engineering attack event matched with the current event analysis instruction, and update the social engineering knowledge base and the social engineering detection rule base included in the data storage system 340 according to the association analysis result.
In the embodiment of the invention, the honey pot system is deployed in the whole network range, so that the network attack event is captured in a large-scale network environment, and the real social engineering attack behavior is detected by gathering, analyzing and correlating the data captured by each honey pot system.
In the embodiment of the present invention, as shown in fig. 3b, the detection system deploys the honeypot systems 310 in different geographic locations throughout the network, so that at least one honeypot system 310 is guaranteed in every province nationally, i.e., at least 31 honeypot systems 310 are included in the formed distributed honeypot network. Moreover, each honeypot system 310 has the same system environment and is configured with the same social engineering knowledge base and social engineering detection rule base.
In the embodiment of the present invention, as shown in fig. 3b, the honeypot system 310 may capture various types of received cyber attack events, perform feature matching on the captured cyber attack events by using a social engineering knowledge base and a social engineering detection rule base, detect whether the captured cyber attack events are social engineering attack events with social engineering features, and report the detected social engineering attack events to the controller 320. The honeypot system 310 may also receive instructions and data issued by the controller 320, and is controlled by the controller 320.
Wherein, the events reported by the deployed distributed honeypot system 310 to the controller 320 include various types, for example, when the social engineering attack event is a phishing mail, the reporting content includes event time, mail sender, mail receiver, mail body, mail attachment, etc., and when the social engineering attack event is an instant communication message, the reporting content includes event time, communication tool type, message sender ID, message receiver ID, message content, message attachment, etc.
Optionally, the honeypot system 310 is specifically configured to: extracting features of the network attack event to obtain event features of the network attack event; matching the attacker features included in the event features with a target attacker feature set included in the social engineering knowledge base; and/or matching the psychological features included in the event features with the set of target psychological features included in the social engineering knowledge base, and matching the technical features included in the event features with the set of detection rules included in the social engineering detection rules base.
Optionally, the honeypot system 310 is specifically configured to: if the attacker features included in the event features belong to the target attacker feature set included in the social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics, and the target detection rules matched with the technical characteristics included in the event characteristics exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is the social engineering attack event.
Optionally, the set of target psychological characteristics includes at least: frightening features, alluring features, fear features, curiosity features, trust features, greedy features, homonymy features, guilt features, and authority features; the detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, trojan detection rules, virus detection rules, and backdoor program detection rules.
In the embodiment of the present invention, the controller 320 is a central hub of the entire detection system, and serves to connect components such as the honeypot system 310, the event analysis system 330, and the data storage system 340. The controller 320 may issue instructions to the honeypot system 310, synchronize data, may receive socioeconomic attack events reported by the honeypot system 310, save the event data to the data storage system 340, and issue event analysis instructions to the event analysis system 330 to cause the event analysis system 330 to further analyze the event, as shown in fig. 3 b. The controller 320 also provides a visual operation interface to the user to facilitate the user in performing data lookup, system configuration, etc.
In the embodiment of the present invention, after receiving the event analysis instruction issued by the controller 320, the event analysis system 330 classifies and counts the social engineering attack event reported by the honeypot system 310, obtains the specific gravity of each psychological feature in the event, and adopts the association rule to mine the association relationship hidden between the data items from the event data of the social engineering attack event and the event data stored in the data storage system 340. For example, if the social engineering attack event includes both an temptation feature and a threat feature, then the degree of association between the temptation feature and the threat feature may be mined. Then, the social engineering knowledge base and the social engineering detection rule base in all the honeypot systems 310 are updated according to the specific gravity of each psychological feature and the association degree between the features, for example, new features or feature association relations are added in the social engineering knowledge base, and detection rules corresponding to the new features are added in the social engineering detection rule base, so that the accuracy of detecting social engineering attack events is improved.
In the embodiment of the present invention, after receiving the event analysis instruction issued by the controller 320, the event analysis system 330 may further check whether the other honeypot systems 310 also detect the social engineering attack event, if so, acquire the data of the social engineering attack event detected by the other honeypot systems, and perform association analysis with the data of the attack event reported by the current honeypot system, for example, may perform analysis from the angles of the attack range of the event, the number of attackers, etc., so as to determine that the event has a higher probability of being a social engineering attack.
In an embodiment of the present invention, the data storage system 340 may provide access to all data in the detection system, including data such as social engineering knowledge, social engineering detection rules, social engineering attack events, network attack events, and the like. The data storage system 340 also provides data read-write services to meet the write and read demands of the controller 320 and the event analysis system 330 for various types of data.
In the embodiment of the present invention, the event analysis system 330 may also pre-process the data of the network attack event captured by the honeypot system 310 after the honeypot system 310 captures the network attack event, so as to remove incomplete, inconsistent or abnormal event data, so that the honeypot system 310 only analyzes the screened network attack event, and improve the efficiency of the honeypot system in detecting the network attack event.
Optionally, the honeypot system 310 is further configured to send the detected suspected social engineering attack event to the controller 320;
the controller 320 is further configured to store the suspected social engineering attack event sent by the honeypot system 310 to the data storage system 340, and send an event type judgment instruction corresponding to the suspected social engineering attack event to the event analysis system 330;
the event analysis system 330 is further configured to perform feature classification statistics on the suspected social engineering attack event that matches the current event type judgment instruction, determine that the suspected social engineering attack event is a social engineering attack event if the feature statistics value is greater than a preset threshold, and determine that the suspected social engineering attack event is other types of network attack events if the feature statistics value is not greater than the preset threshold.
In the embodiment of the present invention, when the honeypot system 310 adopts a manner of combining psychological characteristics and technical characteristics to determine a social engineering attack event, if at least one psychological characteristic belonging to a target psychological characteristic set exists in the psychological characteristics of the current network attack event, but the technical characteristics of the current network attack event are not matched with any target detection rule in the detection rule set, the current network attack event is considered to be a suspected social engineering attack event with the social engineering characteristics, and further analysis and determination are required. At this point, the honeypot system 310 may report the suspected socioeconomic attack event to the controller 320 to further determine if the event is a socioeconomic attack event by the controller 320 invoking the event analysis system 330. It should be noted that the honeypot system 310 directly performs the discarding operation for network attack events that do not have socioeconomic characteristics.
In the embodiment of the present invention, after receiving the event type determining instruction corresponding to the suspected social engineering attack event issued by the controller 320, the event analysis system 330 performs feature classification statistics on the suspected social engineering attack event matched with the current event type determining instruction, determines that the suspected social engineering attack event is a social engineering attack event when the feature statistics value is greater than a preset threshold value, and determines that the suspected social engineering attack event is other types of network attack event when the feature statistics value is less than or equal to the preset threshold value. For example, if the preset threshold value for determining the social engineering attack is 4 and 3 psychological features included in the suspected social engineering attack event are 3, that is, the feature statistics value is 3, the suspected social engineering attack event is determined to be other types of network attack event.
In order to avoid misjudging the attack event by the honeypot system 310, the event analysis system 330 may also judge the social engineering attack event according to a combination of psychological and technical characteristics, and judge the social engineering attack event according to an attacker characteristic.
Optionally, the event analysis system 330 is further configured to add a social engineering attack identity to each social engineering attack event in the data storage system 340.
In the embodiment of the present invention, as shown in fig. 3b, the event analysis system 330 may further add the social engineering attack identifier for the social engineering attack event stored in the data storage system 340 according to the type of the attack event, and add the other type of network attack identifier for other types of attack events, for example, add the conventional network attack identifier for the conventional network attack event.
Alternatively, the honeypot system 310 includes a high interaction honeypot system.
In the embodiment of the present invention, the honeypot system 310 is a high-interaction honeypot system, that is, a real operating system and a real service are used as the honeypot system, so that interaction with an attacker can be performed, a program can be read and written, and more comprehensive attack information can be captured.
According to the technical scheme, the honey pot system is deployed at different geographic positions of the whole network, multi-node and wide-dimension detection of social engineering attacks is achieved under a large-scale network environment, network attack events are captured through the honey pot system, analysis and judgment are carried out on the captured network attack events, the network attack events which are determined to be the social engineering attack events are reported to the controller, the controller stores event data into the data storage system, and the event analysis system is scheduled to correlate and analyze the event data in the data storage system so as to perfect and update a social engineering knowledge base and a social engineering detection rule base in the honey pot system, so that the accuracy of social engineering attack detection is further improved.
Example IV
Fig. 4 is a schematic structural diagram of a honeypot system according to a fourth embodiment of the invention. FIG. 4 illustrates a block diagram of an exemplary honeypot system 12 suitable for use in implementing embodiments of the invention. The honeypot system 12 shown in fig. 4 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the invention.
As shown in FIG. 4, the honeypot system 12 is embodied in the form of a general purpose computing device. The components of the honeypot system 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, a bus 18 that connects the various system components, including the system memory 28 and the processing units 16.
Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
The honeypot system 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by honeypot system 12 and includes both volatile and non-volatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. The honeypot system 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, commonly referred to as a "hard disk drive"). Although not shown in fig. 4, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored in, for example, memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods of the embodiments described herein.
The honeypot system 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with the honeypot system 12, and/or any device (e.g., network card, modem, etc.) that enables the honeypot system 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Also, the honeypot system 12 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet via the network adapter 20. As shown, the network adapter 20 communicates with other modules of the honeypot system 12 via the bus 18. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with the honeypot system 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by running programs stored in the system memory 28, for example, implementing the method for detecting a social engineering attack event applied to a honeypot system provided by the embodiment of the present invention.
Namely: the method for detecting the social engineering attack event is applied to a honeypot system and comprises the following steps: acquiring a network attack event; according to the social engineering knowledge base and the social engineering detection rule base, carrying out feature matching on the network attack event; and determining whether the network attack event is a social engineering attack event according to the matching result.
Example five
The fifth embodiment of the invention also discloses a computer storage medium, on which a computer program is stored, which when executed by a processor, realizes a method for detecting social engineering attack events applied to a honeypot system, comprising:
capturing network attack events;
according to the social engineering knowledge base and the social engineering detection rule base, carrying out feature matching on the network attack event;
and determining whether the network attack event is a social engineering attack event according to the matching result.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. For example, a computer-readable storage medium may be, but is not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (9)
1. A method for detecting a social engineering attack event, applied to a honeypot system, comprising:
capturing network attack events; wherein the cyber attack event includes a conventional cyber attack event and a socioeconomic attack event;
performing feature matching on the network attack event according to a social engineering knowledge base and a social engineering detection rule base;
determining whether the network attack event is a social engineering attack event according to the matching result;
the feature matching of the network attack event according to the social engineering knowledge base and the social engineering detection rule base comprises the following steps:
Extracting features of the network attack event to obtain event features of the network attack event; matching the attacker features included in the event features with a target attacker feature set included in the social engineering knowledge base; and/or matching the psychological characteristics included in the event characteristics with a target psychological characteristic set included in the social engineering knowledge base, and matching the technical characteristics included in the event characteristics with a detection rule set included in the social engineering detection rule base;
wherein the honeypot systems are deployed in different geographic locations throughout the network to form a distributed honeypot network.
2. The method of claim 1, wherein determining whether the cyber attack event is a socioeconomic attack event based on the matching result comprises:
if the attacker features included in the event features belong to a target attacker feature set included in the social engineering knowledge base, determining that the network attack event is a social engineering attack event; and/or
And if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics, and the target detection rules matched with the technical characteristics included in the event characteristics exist in the detection rule set included in the social engineering detection rule base, determining that the network attack event is a social engineering attack event.
3. The method of claim 1, wherein determining whether the cyber attack event is a socioeconomic attack event based on the matching result comprises:
and if the psychological characteristics belonging to the target psychological characteristic set exist in the event characteristics, and the target detection rules matched with the technical characteristics included in the event characteristics do not exist in the detection rule set included in the socioeconomic detection rule base, determining that the network attack event is a suspected socioeconomic attack event.
4. The method according to claim 1, wherein the set of target psychological characteristics comprises at least: frightening features, alluring features, fear features, curiosity features, trust features, greedy features, homonymy features, guilt features, and authority features;
the detection rule set at least comprises: malicious IP detection rules, malicious link detection rules, malicious mail detection rules, trojan detection rules, virus detection rules, and backdoor program detection rules.
5. A social engineering attack event detection device, applied to a honeypot system, comprising:
the capturing module is used for capturing network attack events; wherein the cyber attack event includes a conventional cyber attack event and a socioeconomic attack event;
The matching module is used for carrying out feature matching on the network attack event according to the social engineering knowledge base and the social engineering detection rule base;
the determining module is used for determining whether the network attack event is a social engineering attack event according to the matching result;
the matching module is specifically used for extracting characteristics of the network attack event to obtain event characteristics of the network attack event; matching the attacker features included in the event features with a target attacker feature set included in the social engineering knowledge base; and/or matching the psychological characteristics included in the event characteristics with a target psychological characteristic set included in the social engineering knowledge base, and matching the technical characteristics included in the event characteristics with a detection rule set included in the social engineering detection rule base;
wherein the honeypot systems are deployed in different geographic locations throughout the network to form a distributed honeypot network.
6. A system for detecting a socioeconomic attack event, comprising: a preset number of honeypot systems, a controller, an event analysis system and a data storage system;
The honeypot system is used for executing the method for detecting the social engineering attack event according to any one of claims 1-4 and sending the detected social engineering attack event to the controller;
the controller is used for storing the social engineering attack events sent by each honeypot system to the data storage system and issuing event analysis instructions corresponding to each social engineering attack event to the event analysis system;
the event analysis system is used for carrying out association analysis on each social engineering attack event matched with the current event analysis instruction, and updating a social engineering knowledge base and a social engineering detection rule base which are included in the data storage system according to association analysis results.
7. The system of claim 6, wherein the system further comprises a controller configured to control the controller,
the honeypot system is also used for sending the detected suspected socioeconomic attack event to the controller;
the controller is also used for storing the suspected socioeconomic attack event sent by the honeypot system to the data storage system and issuing an event type judgment instruction corresponding to the suspected socioeconomic attack event to the event analysis system;
The event analysis system is further used for carrying out feature classification statistics on suspected socioeconomic attack events matched with the current event type judgment instruction, if the feature statistics value is larger than a preset threshold value, determining that the suspected socioeconomic attack event is a socioeconomic attack event, otherwise, determining that the suspected socioeconomic attack event is other types of network attack events.
8. The system of claim 7, wherein the system further comprises a controller configured to control the controller,
the event analysis system is also used for adding a social engineering attack identifier to each social engineering attack event in the data storage system.
9. The system of claim 6, wherein the honeypot system comprises a high interaction honeypot system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010698590.5A CN111859374B (en) | 2020-07-20 | 2020-07-20 | Method, device and system for detecting social engineering attack event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010698590.5A CN111859374B (en) | 2020-07-20 | 2020-07-20 | Method, device and system for detecting social engineering attack event |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111859374A CN111859374A (en) | 2020-10-30 |
| CN111859374B true CN111859374B (en) | 2024-03-19 |
Family
ID=73001133
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010698590.5A Active CN111859374B (en) | 2020-07-20 | 2020-07-20 | Method, device and system for detecting social engineering attack event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111859374B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113141347B (en) * | 2021-03-16 | 2022-06-10 | 中国科学院信息工程研究所 | Social work information protection method and device, electronic equipment and storage medium |
| CN113381981B (en) * | 2021-05-13 | 2023-02-21 | 中国科学院信息工程研究所 | Social attack stress transformation protection method and system, electronic device and storage medium |
| CN114553481A (en) * | 2022-01-17 | 2022-05-27 | 重庆邮电大学 | Network attack event prediction and optimal active defense strategy selection system |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103530561A (en) * | 2013-10-21 | 2014-01-22 | 北京奇虎科技有限公司 | Method and device for preventing attacks of Trojan horse programs based on social engineering |
| CN104852916A (en) * | 2015-05-08 | 2015-08-19 | 西安石油大学 | Social engineering-based webpage verification code recognition method and system |
| CN106470188A (en) * | 2015-08-18 | 2017-03-01 | 中国电信股份有限公司 | The detection method of security threat, device and security gateway |
| CN108183888A (en) * | 2017-12-15 | 2018-06-19 | 恒安嘉新(北京)科技股份公司 | A kind of social engineering Network Intrusion path detection method based on random forests algorithm |
| CN109450929A (en) * | 2018-12-13 | 2019-03-08 | 成都亚信网络安全产业技术研究院有限公司 | A kind of safety detection method and device |
| CN110290155A (en) * | 2019-07-23 | 2019-09-27 | 北京邮电大学 | The defence method and device of social engineering attack |
| CN110300054A (en) * | 2019-07-03 | 2019-10-01 | 论客科技(广州)有限公司 | The recognition methods of malice fishing mail and device |
| CN111131166A (en) * | 2019-11-28 | 2020-05-08 | 重庆小雨点小额贷款有限公司 | User behavior prejudging method and related equipment |
| CN111147489A (en) * | 2019-12-26 | 2020-05-12 | 中国科学院信息工程研究所 | Link camouflage-oriented fishfork attack mail discovery method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9123027B2 (en) * | 2010-10-19 | 2015-09-01 | QinetiQ North America, Inc. | Social engineering protection appliance |
-
2020
- 2020-07-20 CN CN202010698590.5A patent/CN111859374B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN103530561A (en) * | 2013-10-21 | 2014-01-22 | 北京奇虎科技有限公司 | Method and device for preventing attacks of Trojan horse programs based on social engineering |
| CN104852916A (en) * | 2015-05-08 | 2015-08-19 | 西安石油大学 | Social engineering-based webpage verification code recognition method and system |
| CN106470188A (en) * | 2015-08-18 | 2017-03-01 | 中国电信股份有限公司 | The detection method of security threat, device and security gateway |
| CN108183888A (en) * | 2017-12-15 | 2018-06-19 | 恒安嘉新(北京)科技股份公司 | A kind of social engineering Network Intrusion path detection method based on random forests algorithm |
| CN109450929A (en) * | 2018-12-13 | 2019-03-08 | 成都亚信网络安全产业技术研究院有限公司 | A kind of safety detection method and device |
| CN110300054A (en) * | 2019-07-03 | 2019-10-01 | 论客科技(广州)有限公司 | The recognition methods of malice fishing mail and device |
| CN110290155A (en) * | 2019-07-23 | 2019-09-27 | 北京邮电大学 | The defence method and device of social engineering attack |
| CN111131166A (en) * | 2019-11-28 | 2020-05-08 | 重庆小雨点小额贷款有限公司 | User behavior prejudging method and related equipment |
| CN111147489A (en) * | 2019-12-26 | 2020-05-12 | 中国科学院信息工程研究所 | Link camouflage-oriented fishfork attack mail discovery method and device |
Non-Patent Citations (5)
| Title |
|---|
| Preventive Techniques of Phishing Attacks in Networks;Muhammad Adil等;《2020 3rd International Conference on Advancements in Computational Sciences (ICACS)》;第1-8页 * |
| 一种安全高效的组合密钥技术在VoIP上的应用研究;冯福伟等;《计算机与数字工程》;第43卷(第12期);第2221-2228页 * |
| 基于大数据环境的多模态信息隐藏新体系;黄殿中等;《电子学报》;第45卷(第02期);第477-484页 * |
| 基于朴素贝叶斯分类器的社会工程学邮件检测;马明阳等;《第十九届全国青年通信学术年会论文集》;全文 * |
| 防范高级持续性威胁的军事信息系统安全框架研究;吴晓平等;《海军工程大学学报(综合版)》;20160615;第13卷(第02期);第30-35页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111859374A (en) | 2020-10-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10218740B1 (en) | Fuzzy hash of behavioral results | |
| US11102223B2 (en) | Multi-host threat tracking | |
| US11516248B2 (en) | Security system for detection and mitigation of malicious communications | |
| US10467411B1 (en) | System and method for generating a malware identifier | |
| US10735458B1 (en) | Detection center to detect targeted malware | |
| US10523609B1 (en) | Multi-vector malware detection and analysis | |
| KR101689296B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| WO2018177210A1 (en) | Defense against apt attack | |
| JP6441957B2 (en) | Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits | |
| CN111859374B (en) | Method, device and system for detecting social engineering attack event | |
| EP2106085B1 (en) | System and method for securing a network from zero-day vulnerability exploits | |
| EP3349414A1 (en) | Malicious tunneling handling system | |
| EP3414663A1 (en) | Automated honeypot provisioning system | |
| CN111526121B (en) | Intrusion prevention method and device, electronic equipment and computer readable medium | |
| US20200106791A1 (en) | Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic metrics | |
| KR101991737B1 (en) | Visualization method and visualization apparatus | |
| US20200195670A1 (en) | Profiling network entities and behavior | |
| KR101991736B1 (en) | Correlation visualization method and correlation visualization apparatus | |
| US11924228B2 (en) | Messaging server credentials exfiltration based malware threat assessment and mitigation | |
| US20210359977A1 (en) | Detecting and mitigating zero-day attacks | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| KR102636138B1 (en) | Method, apparatus and computer program of controling security through database server identification based on network traffic | |
| CN113965412A (en) | Method for analyzing and aggregating system of honeypot attack stage | |
| Han et al. | Threat evaluation method for distributed network environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |