CN112039865A - Network attack detection and response method driven by threat - Google Patents
Network attack detection and response method driven by threat Download PDFInfo
- Publication number
- CN112039865A CN112039865A CN202010867543.9A CN202010867543A CN112039865A CN 112039865 A CN112039865 A CN 112039865A CN 202010867543 A CN202010867543 A CN 202010867543A CN 112039865 A CN112039865 A CN 112039865A
- Authority
- CN
- China
- Prior art keywords
- threat
- intelligence
- data
- information
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000001514 detection method Methods 0.000 title claims abstract description 45
- 230000004044 response Effects 0.000 title claims abstract description 45
- 230000007123 defense Effects 0.000 claims abstract description 20
- 238000004458 analytical method Methods 0.000 claims abstract description 13
- 238000005516 engineering process Methods 0.000 claims abstract description 9
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 14
- 238000004891 communication Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000002955 isolation Methods 0.000 claims description 6
- 238000010801 machine learning Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 6
- 238000012546 transfer Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000000903 blocking effect Effects 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 230000006399 behavior Effects 0.000 claims description 4
- 230000000977 initiatory effect Effects 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 244000035744 Hura crepitans Species 0.000 claims description 3
- 238000012098 association analyses Methods 0.000 claims description 3
- 238000004422 calculation algorithm Methods 0.000 claims description 3
- 238000007405 data analysis Methods 0.000 claims description 3
- 230000008014 freezing Effects 0.000 claims description 3
- 238000007710 freezing Methods 0.000 claims description 3
- 238000009434 installation Methods 0.000 claims description 3
- 238000003064 k means clustering Methods 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 230000035945 sensitivity Effects 0.000 claims description 3
- 230000026676 system process Effects 0.000 claims description 3
- 238000011426 transformation method Methods 0.000 claims description 3
- 230000005856 abnormality Effects 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 6
- 230000007547 defect Effects 0.000 abstract description 4
- 230000003068 static effect Effects 0.000 abstract description 4
- 238000013461 design Methods 0.000 abstract description 3
- 238000011160 research Methods 0.000 abstract description 3
- 230000008520 organization Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 210000000653 nervous system Anatomy 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 230000005477 standard model Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a network attack detection and response method driven by threat, belonging to the technical field of information security. Aiming at the defects of the traditional static defense technology system and the emergency threat response protection mechanism, the invention designs a threat-driven safety response method based on the attack thinking and flow of an attacker and according to a PPDR model on the basis of research and analysis of the general network attack flow.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a network attack detection and response method driven by threat.
Background
As an important sign of the information age, networks have fully penetrated aspects and fields of the real world with their virtual existence of "unlimitability" and "scarcity", becoming increasingly the basic platform for political, economic, cultural and social activities and the nervous system on which the whole society is operating normally. With the development of new technologies and new applications of cloud computing, big data, artificial intelligence, mobile internet, internet of things, social networks and the like, new challenges of network security are increasing day by day, and the situation is extremely severe, and particularly, the comprehensive upgrade of network security threats is more prominently shown due to the appearance of weapon-level viruses such as 'earthquake networks' and 'flames' and the exposure of network monitoring plans such as 'prisms'.
The existing defense system is precise defense based on threat characteristic perception, and prior knowledge of attack sources, attack characteristics, attack ways, attack behaviors, attack mechanisms and the like needs to be obtained to serve as a basis for implementing effective defense. In the face of uncertain threats, passive defense is like solving a multidimensional equation set mathematically, and no definite solution is theoretically available. Therefore, the asymmetric situation of the network security which is easy to attack and defend at present is also caused by the gene defect of the passive defense theoretical system and technology. More seriously, the cyberspace information system architecture and the defense system are static, similar and definite in nature, and the system architecture is transparent, has single processing space and lacks diversity.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: a network attack detection and response method is designed aiming at the defects of a traditional static defense technology system and an emergency threat response protection mechanism.
(II) technical scheme
In order to solve the technical problem, the invention provides a threat-driven network attack detection and response method, which comprises a threat response step based on an attack life cycle and a threat intelligence sharing step based on body communication, wherein the threat response step is realized.
Preferably, the threat response step based on the attack lifecycle includes a prediction phase, a protection phase, a detection phase and a response phase:
(1) prediction phase
The prediction stage is used for generating multi-dimensional threat information through a threat characteristic library and an attack surface depiction based on multi-source external threat information to realize the prediction of network attack; the method comprises the following steps of (1) completing identification and prediction of threat characteristics based on a clustering method in machine learning;
(2) guard phase
In the protection stage, according to the attack surface description result in the prediction stage, namely, according to the threat information, selecting a safety protection product and service which accord with the self condition of a defender to obtain a defense strategy;
(3) detection phase
And in the detection stage, a full-flow detection product is adopted to detect the flow according to the threat information obtained in the prediction stage and the defense strategy obtained in the protection stage, and abnormal behavior analysis is adopted to identify which threat the abnormal behavior belongs to.
(4) Response phase
The response phase is used for treating the threats discovered in the detection phase, and performing characteristic learning and threat information sharing initiation.
Preferably, in the prediction stage, the flow of identifying and predicting the threat characteristic specifically includes:
normalization of threat characteristic data
The method comprises the following steps of standardizing threat characteristic data of multiple sources by using a linear transformation method:
data set D of threat characteristic datarWith s data objects X inside1,X2,…,XsEach object has t characteristic attributes, denoted as x1,x2,…,xj,…,xtBy using
Normalizing the feature attribute data, wherein yjNormalized data set A for normalized feature attributesr={Y1,Y2,…,YsR is more than or equal to 1 and less than or equal to q, and q is the number of characteristic types;
② threat feature cluster learning
Clustering learning is carried out on the threat characteristics by adopting a multi-dimensional K-Means clustering algorithm, so that a predicted judgment criterion element is formed;
using normalized data set A1,A2,…,AqDetermining the initial clustering number of each data set to be 2, respectively carrying out clustering calculation on each data set to obtain a primary clustering result R1,R2,…,RqThe clustering result is the clustering result, then the clustering result is compared with the actual classification condition, the clustering number of each data set is dynamically adjusted, and clustering calculation is carried out again until the clustering result reaches the preset accuracy rate;
third, threat characteristic association mapping
Aiming at the multi-level threat characteristic clustering result, combining with the asset composition information to complete the association between the multi-level threat characteristics and generate<AssetsiThreat of1Threat of2… threatk>The threat intelligence of the form simultaneously provides basic data for the description of the attack surface.
Preferably, in the protection phase, the making of the transfer attack strategy is completed according to the following technical principle:
based on threat intelligence and assetsiThe attack surface of (2) selects a risk port set PiAnd service set Si;
Secondly, dynamically allocating an IP address for the honeypot machine;
thirdly, service installation is completed aiming at the honeypot machine, and port mapping and port proxy setting are carried out;
fourthly, configuring a data capturing and access control tool;
traversing the asset list, and repeating the steps until the asset list is empty.
Preferably, in the detection stage, the threat to which the abnormal behavior belongs is identified by using an abnormal behavior analysis means, and whether an abnormality exists in related process creation or invocation, file or resource access behavior, and registry modification is detected based on a sandbox technology by combining large data analysis means such as abnormal flow detection, machine learning, and association analysis.
Preferably, in the response phase, the threat handling method includes terminal isolation, network layer IP blocking and isolation, system processes, account freezing, application layer blocking, and active rejection of responses.
Preferably, the step of sharing threat intelligence based on ontology communication comprises implementing threat intelligence ontology transmission after threat information sharing is initiated, wherein the threat intelligence ontology is described in a triple format of RDF.
Preferably, when the triple format of RDF is used to describe the threat intelligence ontology, the node is used to represent the resource, and the arc line is used to represent the attribute relationship of the resource.
Preferably, when the transmission of the threat intelligence ontology is realized, the negotiated encryption scheme is used for encrypting data of the threat intelligence ontology according to the sensitivity degree of the threat intelligence.
Preferably, the threat intelligence sharing step based on ontology communication further comprises the step of realizing threat intelligence distribution after threat information sharing is initiated, and the distribution mode comprises an active type and a passive type:
first, an active intelligence distribution method: distributing relevant data to the user based on the relationship between the threat intelligence content and the user requirement attribute; after the new information or routine information is generated, the producer pushes the data to a corresponding user according to the matching degree of the threat information;
secondly, a passive information distribution method: the method is a demand-driven intelligence distribution method, and threat intelligence providers publish alternative intelligence types on a portal in a service mode, and users search corresponding contents according to own demands and then access the contents by using a specified interface provided by a system.
(III) advantageous effects
Aiming at the defects of the traditional static defense technology system and the emergency threat response protection mechanism, the invention designs a threat-driven safety response method based on the attack thinking and flow of an attacker and according to a PPDR model on the basis of research and analysis of the general network attack flow.
Drawings
FIG. 1 is a schematic diagram of a threat-driven attack detection and response method provided by the present invention;
FIG. 2 is a graphical illustration of the staging of an attack response in the present invention;
fig. 3 is a schematic diagram of a method for formalized sharing of threat intelligence in the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
And the attacking and defending parties carry out dynamic game under the condition of asymmetric information for a long time, and the knowledge of the defending party on the attacking party is far less than that of the attacking party on the defending party. The traditional attack detection means can not meet the current security detection requirements, and the analysis on the relevant information of an attacker is not deep enough. Therefore, on the basis of research and analysis on the general network attack flow, the attack detection and response method based on the threat is designed based on the attack thought and flow of an attacker, and mainly comprises two steps of threat response based on the attack life cycle and threat information sharing based on body communication, as shown in fig. 1.
First step, threat response based on attack lifecycle:
the invention provides a threat response process based on an attack life cycle by taking a PPDR (direct digital response) safety protection system provided by Gartner as a guide frame, which comprises a prediction stage, a protection stage, a detection stage and a response stage, as shown in figure 2.
(1) Prediction phase
The prediction stage aims to describe the external threat as comprehensively as possible, depends on external threat information of multiple sources, and generates multi-dimensional threat information through describing a threat characteristic library and an attack surface to form the prediction capability of network attack. In the method, identification and prediction of threat characteristics are completed based on a clustering method in machine learning in a prediction stage, and the first step of transition from passive protection to active defense is realized.
The process of identifying and predicting the threat characteristics specifically comprises the following steps:
normalization of threat characteristic data
And carrying out certain data processing on the threat characteristic data of multiple sources to make the threat characteristic data suitable for a classification/clustering learning model. The method uses a linear transformation method to carry out standardization processing on threat characteristic data in a prediction stage.
Data set D of threat characteristic datarWith s data objects X inside1,X2,…,XsEach object has t characteristic attributes, denoted as x1,x2,…,xj,…,xtBy using
Normalizing the feature attribute data, wherein yjNormalized data set A for normalized feature attributesr={Y1,Y2,…,YsR is more than or equal to 1 and less than or equal to q (q is the number of characteristic types).
② threat feature cluster learning
Because the threat characteristic relates to multi-aspect and multi-level information, the clustering of the threat characteristic is difficult to complete by a single-class clustering model, so that the method adopts a multi-dimensional K-Means clustering algorithm to perform clustering learning on the threat characteristic, thereby forming a predicted judgment criterion element.
Using normalized data set A1,A2,…,AqDetermining the initial clustering number of each data set to be 2, respectively carrying out clustering calculation on each data set to obtain a primary clustering result R1,R2,…,RqAnd then comparing the clustering result with the actual classification condition, dynamically adjusting the clustering number of each data set, and performing clustering calculation again until the clustering result reaches the required accuracy.
Third, threat characteristic association mapping
For multiple levelsThe clustering result of the threat characteristics is combined with the information such as asset composition to complete the association among the multi-level threat characteristics and generate<AssetsiThreat of1Threat of2… threatk>The threat intelligence of the form simultaneously provides basic data for the description of the attack surface.
In the prediction stage, the key points are to obtain multi-dimensional threat information and learn threat characteristics, including PE executable program samples, netflow network flow data, terminal logs, DNS (domain name system) and whois records and the like of a basic data layer; the system comprises a malicious remote control server address, a malicious website, a telephone, a phishing mail address, a malicious code HASH value, a modified specific registry key, a system bug, an abnormal account and the like on a technical information level; attack means and processes of an attacker or an attack organization level, attack influences possibly caused, emergency response suggestions and the like; social, political, economic and cultural motivations at strategic level, historical attack trajectories and target trends, attack focus, technical ability assessment of attack organizations, and the like. The multidimensional threat intelligence has good reference significance for describing the threat, and has obvious effect of improving the prediction accuracy of network attack.
And feeding back the multidimensional threat intelligence generated in the prediction stage to the protection stage and the detection stage, and performing safety protection and safety detection guidance on each level of a network, a system, a terminal, an application and a service.
(2) Guard phase
The protection phase aims at generating dynamic and effective security protection strategies and describing the detailed conditions of own assets, and can be used for defending network attacks by collocating and deploying a series of security strategy sets, products and services. At this stage, the protection strategy is linked with asset management, the security protection strategy configuration and management are carried out on the corresponding assets, a multi-layer and multi-level dynamic security protection strategy system is realized, the attack threshold is improved by reducing the attacked surfaces, and the attack action is intercepted before being influenced.
The protection strategy comprises an asset security protection strategy set and a transfer attack strategy. The asset security protection strategy set describes security products, services and security strategies used by asset components of the asset, and performs targeted security strategy configuration on key assets by combining threat intelligence; the transfer attack strategy is based on a mimicry defense thought, and through various technologies such as honeypots, system mirroring and hiding, an attacker is difficult to locate a real system core and available vulnerabilities, and hide and confuse system interfaces and system information, so that a defender can obtain an asymmetric advantage in time in a network attack and defense countermeasure process.
And in the protection stage, according to the attack surface description result in the prediction stage, selecting a safety protection product and service which accord with the self condition of a defender according to the threat information to obtain a defense strategy. In addition, in the aspect of attracting transfer network attacks, the method comprehensively deploys the low-interaction honeypots, the medium-interaction honeypots and the high-interaction honeypots, and dynamically specifies the number of each type of honeypots. The low-interaction and medium-interaction honeypots are realized based on the virtual machine, and the high-interaction honeypot is realized based on the puppet machine. The making of the transfer attack strategy is completed according to the following technical principle:
based on threat intelligence and assetsiThe attack surface of (2) selects a risk port set PiAnd service set Si;
Secondly, dynamically allocating an IP address for the honeypot machine;
thirdly, service installation is completed aiming at the honeypot machine, and port mapping and port proxy setting are carried out;
fourthly, configuring a data capturing and access control tool;
traversing the asset list, and repeating the steps until the asset list is empty.
The asset management comprises asset information statistics, asset state monitoring and the like. The asset information statistics is used for completing the exploration and investigation of the assets of the user, is the basis for knowing the user, and provides support for the depiction of the attack surface of the user; and monitoring the asset state, namely monitoring and recording the running state, data flow, updating and upgrading, sensitive operation and the like of the asset, and feeding back the change of the asset to the asset information to complete the timely updating of the asset information.
(3) Detection phase
And in the detection stage, a full-flow detection product is adopted to detect the flow according to the threat information obtained in the prediction stage and the defense strategy obtained in the protection stage, and the abnormal behavior analysis is matched to identify which threat the abnormal behavior belongs to.
The main goal of the detection phase is to discover various external direct or latent attacks in time. The stage is the most important and dependent part of each enterprise in the traditional security defense system, and is also the key stage for discovering threats by the method, and mainly comprises flow detection and abnormal behavior analysis.
The method selects a full-element flow detection product for flow detection, not only focuses on system boundary flow and carries out flow detection on a key data channel, but also can complete multi-element full-flow detection under the condition of sacrificing certain system performance, sweep out potential blind areas of safety detection and monitor the flow condition in the system in real time.
In addition, an abnormal behavior analysis means is adopted, not the detection based on the feature codes, because many APT attackers use 0day loopholes or attack by using polymorphic and deformed malicious codes, the detection cannot be found by the traditional detection means based on the feature codes, but the detection is possible by the abnormal behavior analysis. The abnormal behavior analysis is based on a sandbox technology, and is combined with big data analysis means such as abnormal flow detection, machine learning and association analysis to detect whether the related processes are established or called, the file or resource access behaviors and the registry is modified or not.
(4) Response phase
The response phase is to treat the discovered threats, perform characteristic learning and threat information sharing initiation, rapidly block attacks, isolate infected systems and accounts, and achieve the purpose of preventing further system damage or affecting diffusion.
The common methods for threat disposal include terminal isolation, network layer IP blocking and isolation, system processes, account freezing, application layer blocking, active denial of response, and the like. The detection stage and the response stage need to be integrally designed, so that automatic threat disposal is realized, and automatic triggering is performed according to a detection result or automatic triggering is performed after manual judgment is prompted.
Threat intelligence sharing is the key to converging dominant forces to defend against attacks. In order to better resist network attacks with high strength, long duration and unknown characteristics, a defender needs to be linked with an operator, a security manufacturer, a business-related unit and the like, and common emergency response and risk conduction control are realized through threat information sharing.
The threat characteristic extraction completes multi-dimensional information extraction and association according to the captured threat, feeds the information back to the prediction stage, enriches the threat characteristic library, optimizes a threat prediction identification model, and improves the prediction capability of a security defense system.
Secondly, threat intelligence sharing based on ontology communication:
threat intelligence sharing is the key to converging dominant forces to defend against attacks. The invention designs a threat information sharing method based on ontology communication in a threat information sharing link, aims to provide a sharing mechanism and a communication method for strategy collaboration and threat information sharing of a defensive party, and can combine a plurality of entities to form a threat response community. The threat intelligence sharing method based on ontology communication is shown in fig. 3.
(1) Threat intelligence ontology transmission
In order to share ontology intelligence among different subjects, intelligence knowledge can be described and recorded through a serialized data format carried by a network, and the method adopts a triple format of RDF to describe threat intelligence ontology. RDF (resource Description framework) is a resource representation standard model recommended by W3C on the basis of XML, wherein nodes are used for representing resources, arcs are used for representing attribute relations of the resources, and the arc can be used as a basic model for describing complex relations such as a domain ontology model, so that knowledge contained in a threat intelligence ontology is completely recorded in a triple form.
In addition, according to the sensitivity of the threat intelligence, a negotiated encryption scheme can be used for encrypting data of the threat intelligence body.
(2) Threat intelligence distribution
Distribution is an important link of an information life cycle, and aims to deliver correct information to a demand side in a correct mode through quick organization and implementation in an effective time so as to realize smooth and safe sharing of the information as required. The distribution mode comprises an active mode and a passive mode.
First, an active intelligence distribution method. And distributing the relevant data to the user based on the relation between the threat intelligence content and the user requirement attribute. After the new information or routine information is generated, the producer pushes the data to the corresponding user according to the matching degree of the threat information. The active distribution mode can ensure timeliness, so that the most urgent and critical network space adversaries can reach the receiver at the first time to guide the progress of the demand response.
The second category, passive intelligence distribution methods. It is a demand-driven intelligence distribution method. The threat intelligence provider publishes the alternative intelligence categories in a service mode at a portal, and the user searches corresponding contents according to the requirement of the user and then accesses the corresponding contents by using a specified interface provided by the system.
The threat information expressed by the ontology structure adopts a knowledge expression and information organization mode which is easy to be analyzed and processed by a computer, so that a user can use a query language facing the ontology structure after receiving the threat information, and the complex reasoning which is difficult to realize in the traditional relational data organization mode is completed, thereby quickly acquiring the knowledge which is most suitable for self use in the current scene.
The cooperative threat intelligence sharing method can be realized through threat intelligence ontology communication. In addition, sharing and cooperation of threat intelligence are realized, support guarantee of a relevant system and a management mode is needed, adaptive receiving and sending and returning nodes are established in relevant mechanisms, a scientific and effective sharing system is established by combining with a network security management organization, and a threat intelligence sharing operation mode matched with network space event response is established.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A threat-driven network attack detection and response method is characterized by comprising a threat response step based on an attack life cycle and a threat intelligence sharing step based on body communication and realized based on the threat response step.
2. The method of claim 1, wherein the attack lifecycle-based threat response step comprises a prediction phase, a protection phase, a detection phase, and a response phase:
(1) prediction phase
The prediction stage is used for generating multi-dimensional threat information through a threat characteristic library and an attack surface depiction based on multi-source external threat information to realize the prediction of network attack; the method comprises the following steps of (1) completing identification and prediction of threat characteristics based on a clustering method in machine learning;
(2) guard phase
In the protection stage, according to the attack surface description result in the prediction stage, namely, according to the threat information, selecting a safety protection product and service which accord with the self condition of a defender to obtain a defense strategy;
(3) detection phase
And in the detection stage, a full-flow detection product is adopted to detect the flow according to the threat information obtained in the prediction stage and the defense strategy obtained in the protection stage, and abnormal behavior analysis is adopted to identify which threat the abnormal behavior belongs to.
(4) Response phase
The response phase is used for treating the threats discovered in the detection phase, and performing characteristic learning and threat information sharing initiation.
3. The method according to claim 2, wherein in the prediction phase, the flow of identification and prediction of the threat characteristic is specifically:
normalization of threat characteristic data
The method comprises the following steps of standardizing threat characteristic data of multiple sources by using a linear transformation method:
data set D of threat characteristic datarWith s data objects X inside1,X2,…,XsEach object has t characteristic attributes, denoted as x1,x2,…,xj,…,xtBy using
Normalizing the feature attribute data, wherein yjNormalized data set A for normalized feature attributesr={Y1,Y2,…,YsR is more than or equal to 1 and less than or equal to q, and q is the number of characteristic types;
② threat feature cluster learning
Clustering learning is carried out on the threat characteristics by adopting a multi-dimensional K-Means clustering algorithm, so that a predicted judgment criterion element is formed;
using normalized data set A1,A2,…,AqDetermining the initial clustering number of each data set to be 2, respectively carrying out clustering calculation on each data set to obtain a primary clustering result R1,R2,…,RqThe clustering result is the clustering result, then the clustering result is compared with the actual classification condition, the clustering number of each data set is dynamically adjusted, and clustering calculation is carried out again until the clustering result reaches the preset accuracy rate;
third, threat characteristic association mapping
Aiming at the multi-level threat characteristic clustering result, combining with the asset composition information to complete the association between the multi-level threat characteristics and generate<AssetsiThreat of1Threat of2… threatk>The threat intelligence of the form simultaneously provides basic data for the description of the attack surface.
4. The method of claim 3, wherein in the protection phase, the making of the transfer attack strategy is completed according to the following technical principles:
based on threat intelligence and assetsiThe attack surface of (2) selects a risk port set PiAnd service set Si;
Secondly, dynamically allocating an IP address for the honeypot machine;
thirdly, service installation is completed aiming at the honeypot machine, and port mapping and port proxy setting are carried out;
fourthly, configuring a data capturing and access control tool;
traversing the asset list, and repeating the steps until the asset list is empty.
5. The method as claimed in claim 4, wherein in the detection stage, the abnormal behavior analysis means is used to identify which threat the abnormal behavior belongs to, and whether the related process creation or call, the file or resource access behavior, and the registry modification have abnormality or not is detected based on the sandbox technology in combination with the big data analysis means of abnormal traffic detection, machine learning, and association analysis.
6. The method of claim 5, wherein in the response phase, the methods of threat handling include terminal isolation, network layer IP block and isolation, system processes, account freezing, application layer blocking, and unsolicited rejection of responses.
7. The method of claim 6, wherein the step of ontology-based communication of threat intelligence sharing comprises implementing a threat intelligence ontology transmission after threat information sharing initiation, wherein the threat intelligence ontology is described in a triple format of RDF.
8. The method of claim 7, wherein when the triple format of RDF is used to describe the threat intelligence ontology, nodes are used to represent resources and arcs are used to represent attribute relationships of resources.
9. The method of claim 8, wherein the transmission of the body of threat intelligence is performed by encrypting the data of the body of threat intelligence using a negotiated encryption scheme based on the sensitivity of the threat intelligence.
10. The method of claim 9, wherein the step of threat intelligence sharing based on ontology communication further comprises implementing threat intelligence distribution after threat information sharing is initiated, and the distribution mode comprises active and passive:
first, an active intelligence distribution method: distributing relevant data to the user based on the relationship between the threat intelligence content and the user requirement attribute; after the new information or routine information is generated, the producer pushes the data to a corresponding user according to the matching degree of the threat information;
secondly, a passive information distribution method: the method is a demand-driven intelligence distribution method, and threat intelligence providers publish alternative intelligence types on a portal in a service mode, and users search corresponding contents according to own demands and then access the contents by using a specified interface provided by a system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010867543.9A CN112039865A (en) | 2020-08-26 | 2020-08-26 | Network attack detection and response method driven by threat |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010867543.9A CN112039865A (en) | 2020-08-26 | 2020-08-26 | Network attack detection and response method driven by threat |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112039865A true CN112039865A (en) | 2020-12-04 |
Family
ID=73581393
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010867543.9A Pending CN112039865A (en) | 2020-08-26 | 2020-08-26 | Network attack detection and response method driven by threat |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112039865A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111368302A (en) * | 2020-03-08 | 2020-07-03 | 北京工业大学 | Automatic threat detection method based on attacker attack strategy generation |
| CN112769797A (en) * | 2020-12-30 | 2021-05-07 | 华北电力大学 | Safety defense system and method for closed-source power engineering control system |
| CN113992430A (en) * | 2021-12-24 | 2022-01-28 | 北京微步在线科技有限公司 | Method and device for processing defect |
| CN115118469A (en) * | 2022-06-15 | 2022-09-27 | 杭州温小度科技有限公司 | Network security threat processing system and processing method thereof |
| CN116992460A (en) * | 2023-09-25 | 2023-11-03 | 成都市蓉通数智信息技术有限公司 | Software operation management system based on intelligent collaboration |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180191771A1 (en) * | 2016-12-30 | 2018-07-05 | Microsoft Technology Licensing, Llc | Threat intelligence management in security and compliance environment |
| CN109981686A (en) * | 2019-04-15 | 2019-07-05 | 广东电网有限责任公司 | A kind of network security situational awareness method and system based on circulation confrontation |
-
2020
- 2020-08-26 CN CN202010867543.9A patent/CN112039865A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180191771A1 (en) * | 2016-12-30 | 2018-07-05 | Microsoft Technology Licensing, Llc | Threat intelligence management in security and compliance environment |
| CN109981686A (en) * | 2019-04-15 | 2019-07-05 | 广东电网有限责任公司 | A kind of network security situational awareness method and system based on circulation confrontation |
Non-Patent Citations (4)
| Title |
|---|
| 侯艳芳等: "基于自更新威胁情报库的大数据安全分析方法", 《电信科学》 * |
| 金海旻等: "网络攻击防护体系发展趋势与建设思路研究", 《信息安全与通信保密》 * |
| 陈兴蜀等: "基于大数据的网络安全与情报分析", 《工程科学与技术》 * |
| 陈剑锋等: "面向网络空间安全的威胁情报本体化共享研究", 《通信技术》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111368302A (en) * | 2020-03-08 | 2020-07-03 | 北京工业大学 | Automatic threat detection method based on attacker attack strategy generation |
| CN112769797A (en) * | 2020-12-30 | 2021-05-07 | 华北电力大学 | Safety defense system and method for closed-source power engineering control system |
| CN113992430A (en) * | 2021-12-24 | 2022-01-28 | 北京微步在线科技有限公司 | Method and device for processing defect |
| CN113992430B (en) * | 2021-12-24 | 2022-03-29 | 北京微步在线科技有限公司 | Method and device for processing defect |
| CN115118469A (en) * | 2022-06-15 | 2022-09-27 | 杭州温小度科技有限公司 | Network security threat processing system and processing method thereof |
| CN115118469B (en) * | 2022-06-15 | 2024-03-19 | 杭州温小度科技有限公司 | Network security threat processing system and processing method thereof |
| CN116992460A (en) * | 2023-09-25 | 2023-11-03 | 成都市蓉通数智信息技术有限公司 | Software operation management system based on intelligent collaboration |
| CN116992460B (en) * | 2023-09-25 | 2024-02-02 | 成都市蓉通数智信息技术有限公司 | Software operation management system based on intelligent collaboration |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11418523B2 (en) | Artificial intelligence privacy protection for cybersecurity analysis | |
| US20220224716A1 (en) | User agent inference and active endpoint fingerprinting for encrypted connections | |
| US10003610B2 (en) | System for tracking data security threats and method for same | |
| Siadati et al. | Detecting structurally anomalous logins within enterprise networks | |
| EP2955894B1 (en) | Deception network system | |
| US9258321B2 (en) | Automated internet threat detection and mitigation system and associated methods | |
| CN112039865A (en) | Network attack detection and response method driven by threat | |
| US20180034837A1 (en) | Identifying compromised computing devices in a network | |
| WO2015134008A1 (en) | Automated internet threat detection and mitigation system and associated methods | |
| US20230095415A1 (en) | Helper agent and system | |
| Ahmed et al. | Network traffic pattern analysis using improved information theoretic co-clustering based collective anomaly detection | |
| Khairkar et al. | Ontology for detection of web attacks | |
| Alavizadeh et al. | A survey on cyber situation-awareness systems: Framework, techniques, and insights | |
| Ju et al. | Hetemsd: A big data analytics framework for targeted cyber‐attacks detection using heterogeneous multisource data | |
| Tang et al. | Advanced Persistent Threat intelligent profiling technique: A survey | |
| Alavizadeh et al. | A survey on threat situation awareness systems: framework, techniques, and insights | |
| Khan et al. | Towards augmented proactive cyberthreat intelligence | |
| CN118138361A (en) | Security policy making method and system based on autonomously evolutionary agent | |
| Roponena et al. | Towards a Human-in-the-Loop Intelligent Intrusion Detection System. | |
| US20240045990A1 (en) | Interactive cyber security user interface | |
| Pandey et al. | Implementation and monitoring of network traffic security using machine learning | |
| Qureshi et al. | Analysis of challenges in modern network forensic framework | |
| Tundis et al. | An exploratory analysis on the impact of Shodan scanning tool on the network attacks | |
| Prabhu et al. | Detection of DDoS Attacks in IoT Devices | |
| Pakmehr et al. | DDoS attack detection techniques in IoT networks: a survey |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201204 |