CN112600825B - Attack event detection method and device based on isolation network - Google Patents

Attack event detection method and device based on isolation network Download PDF

Info

Publication number
CN112600825B
CN112600825B CN202011432935.9A CN202011432935A CN112600825B CN 112600825 B CN112600825 B CN 112600825B CN 202011432935 A CN202011432935 A CN 202011432935A CN 112600825 B CN112600825 B CN 112600825B
Authority
CN
China
Prior art keywords
preset
behavior
network
behaviors
exists
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011432935.9A
Other languages
Chinese (zh)
Other versions
CN112600825A (en
Inventor
周保辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ThreatBook Technology Co Ltd
Original Assignee
Beijing ThreatBook Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ThreatBook Technology Co Ltd filed Critical Beijing ThreatBook Technology Co Ltd
Priority to CN202011432935.9A priority Critical patent/CN112600825B/en
Publication of CN112600825A publication Critical patent/CN112600825A/en
Application granted granted Critical
Publication of CN112600825B publication Critical patent/CN112600825B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

The application discloses an attack event detection method and device based on an isolation network. The method comprises the following steps: when the device runs in an isolation network, polling whether a first preset behavior for the mobile storage device exists in the isolation network; when the first preset behavior of the mobile storage device exists in the isolation network, judging whether a second preset behavior which meets a set condition exists or not, wherein the second preset behavior is related to the isolation network; when a second preset behavior meeting a set condition exists, determining that an attack event to the isolated network exists; and processing the attack event. By adopting the scheme provided by the application, the second preset behavior is related to the isolation network, so that the attack event of the isolation network is determined according to the second preset behavior, and the determination result of the attack event aiming at the isolation network can be more accurate.

Description

Attack event detection method and device based on isolation network
Technical Field
The present application relates to the field of security protection, and in particular, to an attack event detection method and apparatus based on an isolated network.
Background
The current method for detecting the failed host and the specific threat by the enterprise is to subscribe professional threat intelligence detection service. The traditional threat information detection mode is mainly based on collision of elements such as Hash, domain name and IP, and in the traditional threat information detection mode, factors such as reliability, richness and timeliness of information data can seriously influence user experience.
The isolation network refers to the purpose of isolating two or more routable networks by exchanging data through a non-routable protocol. The core of the network isolation technology is physical isolation, and a network with two disconnected link layers is ensured to realize interaction and sharing of data information in a trusted network environment through special hardware and a security protocol.
For the attack flow of the isolated network, a plurality of different terminal environments can be involved, the transverse detection part of the intranet is a core, and the attack aiming at the destruction of the industrial control network environment is partially carried out, even the interaction with a remote command and a control server is not needed, so that the serious limitation of the traditional threat information detection on the detection of the isolated network attack is caused. Conventional detection of threat intelligence is not ideal for the detection of specific attack events, such as isolated network attacks. Therefore, how to provide an attack event detection method based on an isolated network to improve the accuracy of detecting an attack event of the isolated network is an urgent technical problem to be solved.
Disclosure of Invention
The embodiment of the application aims to provide an attack event detection method and device based on an isolation network.
In order to solve the technical problem, the embodiment of the application adopts the following technical scheme: an attack event detection method based on an isolation network comprises the following steps:
when the device runs in an isolation network, polling whether a first preset behavior for the mobile storage device exists in the isolation network;
when the first preset behavior of the mobile storage device exists in the isolation network, judging whether a second preset behavior which meets a set condition exists or not, wherein the second preset behavior is related to the isolation network;
when a second preset behavior meeting a set condition exists, determining that an attack event to the isolated network exists;
and processing the attack event.
The beneficial effect of this application lies in: when the device runs in an isolation network, polling whether a first preset behavior for the mobile storage device exists in the isolation network; when the first preset behavior of the mobile storage device exists in the isolation network, judging whether a second preset behavior which meets a set condition exists or not, wherein the second preset behavior is related to the isolation network; when a second preset behavior meeting a set condition exists, determining that an attack event to the isolated network exists; and processing the attack event, wherein the second preset behavior is related to the isolation network, so that the attack event of the isolation network is determined according to the second preset behavior, and the determination result of the attack event aiming at the isolation network can be more accurate.
In one embodiment, the first preset behavior comprises at least one of the following behaviors:
and traversing the behavior of the disk drive letter of the computer equipment, acquiring the behavior of the drive type corresponding to each disk drive letter, and matching the behavior of the disk of the movable type.
In one embodiment, the polling whether the first preset behavior for the mobile storage device exists in the quarantine network includes:
circularly matching the data collected by the EDR service with the data corresponding to the first preset behavior;
and when the matching is successful, determining that a first preset behavior for the mobile storage device exists in the isolation network.
In one embodiment, the second predetermined behavior related to the isolated network includes at least one of the following behaviors:
the method comprises the following steps of reading and writing operation behaviors of specific file types in the mobile storage device, transverse detection behaviors of computer devices in a local area network, traversal scanning behaviors of specific files on the computer, collection behaviors of current host device information and collection behaviors of current host user information.
In one embodiment, the determining whether there is a second predetermined behavior meeting the set condition includes:
judging whether the number of the second preset behaviors reaches a preset number or not;
and when the number of the second preset behaviors reaches the preset number, determining that the second preset behaviors meeting the set conditions exist.
In an embodiment, the determining whether there is a second predetermined behavior meeting the set condition includes:
judging whether the total score of various second preset behaviors appearing in the isolated network reaches a preset score or not;
and when the total score of all second preset behaviors appearing in the isolated network reaches the preset score, determining that the second preset behaviors meeting the set conditions exist.
In one embodiment, the processing the attack event includes:
sending information corresponding to the attack event to a processing device at the exit of the local area network, so that the processing device performs at least one of the following processes on the attack event:
blocking treatment, threat positioning, evidence obtaining analysis and Trojan horse deletion.
The application provides an attack event detection device based on isolated network, including:
the polling module is used for polling whether a first preset behavior to the mobile storage device exists in the isolated network when the device runs in the isolated network;
the device comprises a judging module, a judging module and a judging module, wherein the judging module is used for judging whether a second preset behavior meeting a set condition exists when a first preset behavior of the mobile storage device exists in an isolation network, and the second preset behavior is related to the isolation network;
the determining module is used for determining that an attack event to the isolated network exists when a second preset behavior meeting a set condition exists;
and the processing module is used for processing the attack event.
In one embodiment, the first preset behavior comprises at least one of the following behaviors:
and traversing the behavior of the disk drive letter of the computer equipment, acquiring the behavior of the drive type corresponding to each disk drive letter, and matching the behavior of the disk of the movable type.
In one embodiment, the polling module includes:
the matching submodule is used for circularly matching the data collected by the EDR service with the data corresponding to the first preset behavior;
and the determining submodule is used for determining that a first preset behavior for the mobile storage device exists in the isolation network when the matching is successful.
In one embodiment, the second predetermined behavior related to the isolated network includes at least one of the following behaviors:
the method comprises the following steps of reading and writing operation behaviors of specific file types in the mobile storage device, transverse detection behaviors of computer devices in a local area network, traversal scanning behaviors of specific files on the computer, collection behaviors of current host device information and collection behaviors of current host user information.
In one embodiment, the determining module includes:
the first judgment submodule is used for judging whether the number of the second preset behaviors reaches the preset number or not;
and the first behavior determination submodule is used for determining that the second preset behaviors meeting the set conditions exist when the number of the second preset behaviors reaches the preset number.
In one embodiment, the determining module includes:
the second judgment submodule is used for judging whether the total score of various second preset behaviors appearing in the isolation network reaches a preset score or not;
and the second behavior determination submodule is used for determining that the second preset behaviors meeting the set conditions exist when the total score of all the second preset behaviors appearing in the isolation network reaches the preset score.
In one embodiment, a processing module, comprising:
a sending submodule, configured to send information corresponding to the attack event to a processing device at the local area network outlet, so that the processing device performs at least one of the following processes on the attack event:
blocking treatment, threat positioning, evidence obtaining analysis and Trojan horse deletion.
Drawings
Fig. 1 is a flowchart of an attack event detection method based on an isolated network according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an external network attacking an isolated network through a mobile storage device;
FIG. 3 is a flowchart illustrating an attack event detection method based on an isolated network according to another embodiment of the present application;
fig. 4 is a flowchart of an attack event detection method based on an isolated network in a general embodiment of the present application;
fig. 5 is a block diagram of an attack event detection apparatus based on an isolated network according to an embodiment of the present application;
fig. 6 is a block diagram of an attack event detection apparatus based on an isolated network according to another embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It is also to be understood that although the present application has been described with reference to some specific examples, those skilled in the art are able to ascertain many other equivalents to the practice of the present application.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
Fig. 1 is a flowchart of an attack event detection method based on an isolated network according to an embodiment of the present application, where the method includes the following steps S11-S14:
in step S11, when the device is operating in the isolated network, polling whether a first preset behavior for the mobile storage device exists in the isolated network;
in step S12, when the isolated network has a first preset behavior for the mobile storage device, determining whether a second preset behavior meeting a set condition exists, where the second preset behavior is related to the isolated network;
in step S13, when there is a second preset behavior that meets the set condition, it is determined that there is an attack event on the isolated network;
in step S14, the attack event is processed.
In this embodiment, when the device operates in the isolated network, polling whether a first preset behavior for the mobile storage device exists in the isolated network;
the isolation network refers to the purpose of isolating two or more routable networks by exchanging data through a non-routable protocol. The core of the network isolation technology is physical isolation, and a network with two disconnected link layers is ensured to realize interaction and sharing of data information in a trusted network environment through special hardware and a security protocol.
Fig. 2 is a schematic diagram of an external network attacking an isolated network through a mobile storage device. As can be seen from fig. 2, the attack on the isolated network by the external network needs to be performed through the USB interface, and particularly needs to be performed through the mobile storage device as a medium.
Specifically, it is detected whether there is a continuous listening behavior on the mobile storage device (i.e. the USB mobile storage device shown in fig. 2), that is, currently, the external network can only implement an attack on the isolated network through the mobile storage device, so this step is a sufficient condition for an isolated network attack event, and if there is an attack, the subsequent detection is performed.
The first preset behavior for the mobile storage device may be at least one of the following behaviors:
and traversing the behavior of the disk drive letter of the computer equipment, acquiring the behavior of the drive type corresponding to each disk drive letter, and matching the behavior of the disk of the movable type.
The step S11 can be specifically implemented as: circularly matching data collected by an EDR (Endpoint Detection and Response) service with data corresponding to a first preset behavior; and when the matching is successful, determining that a first preset behavior for the mobile storage device exists in the isolation network.
When the first preset behavior of the mobile storage device exists in the isolation network, judging whether a second preset behavior which meets a set condition exists or not, wherein the second preset behavior is related to the isolation network; specifically, in the prior art, an attack event is usually detected based on collisions of elements such as hash, domain name, and IP, but for the isolated network, a scheme for detecting collisions of these elements is not ideal, and therefore, a second preset behavior with stronger correlation with the isolated network is needed to determine whether the detected collision is an attack behavior, for example, the second preset behavior related to the isolated network includes at least one of the following behaviors:
the method comprises the following steps of reading and writing operation behaviors of specific file types in the mobile storage device, transverse detection behaviors of computer devices in a local area network, traversal scanning behaviors of specific files on the computer, collection behaviors of current host device information and collection behaviors of current host user information.
When a second preset behavior meeting the set condition exists, determining that an attack event to the isolated network exists;
specifically, the second preset behavior meeting the set condition may indicate that the number of the second preset behaviors reaches a preset number, or indicate that the total score of the second preset behaviors in the isolated network reaches a preset score.
After determining that there is an attack event on the isolated network, processing the attack event, specifically: sending information corresponding to the attack event to a processing device of the local area network outlet, so that the processing device performs at least one of the following processes on the attack event: blocking treatment, threat positioning, evidence obtaining analysis and Trojan horse deletion.
The beneficial effect of this application lies in: when the device runs in the isolated network, polling whether a first preset behavior for the mobile storage device exists in the isolated network; when the first preset behavior of the mobile storage device exists in the isolation network, judging whether a second preset behavior which meets a set condition exists or not, wherein the second preset behavior is related to the isolation network; when a second preset behavior meeting the set condition exists, determining that an attack event to the isolated network exists; and processing the attack event, wherein the second preset behavior is related to the isolation network, so that the attack event of the isolation network is determined according to the second preset behavior, and the determination result of the attack event aiming at the isolation network can be more accurate.
In one embodiment, the first predetermined behavior comprises at least one of:
and traversing the behavior of the disk drive letter of the computer equipment, acquiring the behavior of the drive type corresponding to each disk drive letter, and matching the behavior of the disk of the movable type.
In this embodiment, at present, the external network can only implement an attack on the isolated network through the mobile storage device, so that detecting whether a continuous monitoring action on the mobile storage device (i.e., the USB mobile storage device shown in fig. 2) exists is a sufficient condition for the isolated network attack event, and the action of continuously monitoring the mobile storage device may specifically include: traversing the disk drives of the computer device, obtaining the drive types corresponding to the disk drives, matching the removable type disk, and other behaviors, therefore, in this embodiment, the first preset behavior includes a combination of one or more of the behaviors.
In one embodiment, the above step S11 can be implemented as the following steps A1-A2:
in step a1, circularly matching data collected by the EDR service with data corresponding to a first preset behavior;
in step a2, when the matching is successful, it is determined that a first preset behavior for the mobile storage device exists in the quarantine network.
In this embodiment, data collected by the EDR service is circularly matched with data corresponding to the first preset behavior; and when the matching is successful, determining that a first preset behavior for the mobile storage device exists in the isolation network.
In particular, EDR is an active security method that can monitor endpoints in real time and search for threats that penetrate into corporate defense systems. This is an emerging technology that can better understand what is happening on an endpoint, providing context and detailed information about the attack. The EDR service may let the device know if and when an attacker enters the network and detect the attack path when the attack occurs-helping the device react to the event within the recorded time. If the collected behavior data is successfully matched with the first preset behavior, the first preset behavior for the mobile storage device exists in the isolation network.
In one embodiment, the second predetermined behavior associated with the isolated network includes at least one of:
the method comprises the following steps of reading and writing operation behaviors of specific file types in the mobile storage device, transverse detection behaviors of computer devices in a local area network, traversal scanning behaviors of specific files on the computer, collection behaviors of current host device information and collection behaviors of current host user information.
In this embodiment, the second preset behavior related to the isolated network includes a read-write operation on a specific file type in the mobile storage device, a horizontal detection on a computer device in the local area network, a traverse scan on a specific file on the computer, a collection of information of a current host device, a collection of information of a current host user, and the like. It is to be understood that the present application is not limited to the above-described behaviors, and all behaviors corresponding to threat intelligence related to the quarantine network may be considered as second predetermined behaviors.
In one embodiment, as shown in FIG. 3, the above step S12 can be implemented as the following steps S31-S32:
in step S31, it is determined whether the number of occurrences of the second predetermined behavior reaches a predetermined number;
in step S32, when the number of occurrences of the second preset behavior reaches the preset number, it is determined that there is the second preset behavior that meets the set condition.
In this embodiment, whether the number of the second preset behaviors reaches a preset number is judged; and when the number of the second preset behaviors reaches the preset number, determining that the second preset behaviors meeting the set conditions exist. For example, a predetermined number threshold, such as 2, is preset. The second preset action includes: the method comprises the acts of reading and writing specific file types in the mobile storage device, transversely detecting computer equipment in a local area network, traversing and scanning specific files on the computer, collecting information of current host equipment, collecting information of current host users and the like. Therefore, if the number of occurrences of these behaviors reaches 2 times, it means that the second preset behavior meets the set condition, i.e., the number of occurrences reaches 2 times.
It is understood that the number of times of the initial selection mentioned herein reaches 2 times, and the second predetermined behavior type may not be distinguished, for example, the traversal scanning behavior of a specific file on the computer reaches two times, and even if other behaviors do not occur, the second predetermined behavior may be considered to meet the set condition.
In one embodiment, the second predetermined behaviors of different kinds correspond to different scores, and the step S12 can be further implemented as the following steps B1-B2:
in step B1, it is determined whether the total score of the various second predetermined behaviors occurring in the isolated network reaches a predetermined score;
in step B2, when the total score of all the second preset behaviors appearing in the isolated network reaches the preset score, it is determined that there is a second preset behavior that meets the set condition.
In this embodiment, different scores may be assigned to the second preset behaviors of different types, and then it is determined whether the total score of the second preset behaviors appearing in the isolated network reaches the preset score, and when the total score of all the second preset behaviors appearing in the isolated network reaches the preset score, it is determined that the second preset behavior meeting the set condition exists.
For example, the preset score is 10, the score assigned to the read/write operation behavior of a specific file type in the mobile storage device is 6, the score assigned to the horizontal detection behavior of the computer device in the local area network is 5, the score assigned to the traversal scanning behavior of a specific file on the computer is 4, the score assigned to the collection behavior of the current host device information is 5, and the score assigned to the collection behavior of the current host user information is 6.
For example, the read-write operation behavior for a specific file type in the mobile storage device occurs twice, and the total score of all second preset behaviors occurring in the isolated network is 12, which is greater than the preset score of 10, indicating that there is a second preset behavior meeting the set condition. For another example, if the read-write operation behavior of a specific file type in the mobile storage device occurs once, and the traversal scanning behavior of a specific file on the computer also occurs once, the total score of all second preset behaviors occurring in the isolation network is 10, and the second preset behavior meets the preset score, which also indicates that the second preset behavior meets the set condition. For another example, if the traversal scanning behavior of a specific file on the computer occurs twice, the total score of all second preset behaviors occurring in the isolation network is 8, and the preset score is not reached, at this time, the detection can be continued, and if no other second preset behaviors occur in the subsequent process, it indicates that no second preset behavior meeting the set condition exists; and if other second preset behaviors appear subsequently, adding the scores of the second preset behaviors to the total score 8 of the second preset behaviors appearing before to obtain a new total score, and if the new total score reaches 10, indicating that the second preset behaviors meeting the set conditions exist.
In one embodiment, the step S14 can be implemented as the following steps:
sending information corresponding to the attack event to a processing device of the local area network outlet, so that the processing device performs at least one of the following processes on the attack event:
blocking treatment, threat positioning, evidence obtaining analysis and Trojan horse deletion.
Fig. 4 is a flowchart of an attack event detection method based on an isolated network in a general embodiment of the present application, which specifically includes the following steps:
and E, EDR terminal behavior data collection is carried out, and whether the behavior of continuous monitoring of the USB mobile storage equipment exists is judged. That is, it is queried whether there is a first preset behavior for the mobile storage device in the isolated network in step S11. If the isolated network attack event does not exist, determining that the isolated network attack event is not detected. The subsequent detection step is as follows: whether the following behavior exists: 1. reading and writing operations of specific file types (PE files and office files) in the USB mobile storage device; 2. whether horizontal detection (port scanning and network communication) exists for the PC machine in the local area network; 3. whether the traversal scanning of the office file on the PC machine exists or not; 4. whether the current PC host equipment information and user information collection behaviors exist. The above four behaviors correspond to the read/write operation behavior for a specific file type in the mobile storage device, the horizontal detection behavior for the computer device in the local area network, the traversal scanning behavior for a specific file on the computer, the collection behavior for the current host device information, and the collection behavior for the current host user information described in the foregoing embodiments. And under the condition of meeting at least two behaviors, determining that the isolated network attack is detected, then giving an alarm through the linkage equipment, and performing subsequent processing, such as blocking processing, threat positioning, evidence obtaining analysis, Trojan horse deletion and the like. If the at least two behaviors are not met, determining that the network attack is not detected, continuously refreshing log data, and analyzing and judging.
Fig. 5 is a block diagram of an attack event detection apparatus based on an isolated network according to an embodiment of the present application, where the apparatus includes the following modules:
the polling module 51 is configured to poll whether a first preset behavior for the mobile storage device exists in an isolated network when the device operates in the isolated network;
the judging module 52 is configured to, when the first preset behavior of the mobile storage device exists in the isolated network, judge whether a second preset behavior meeting a set condition exists, where the second preset behavior is related to the isolated network;
a determining module 53, configured to determine that an attack event to the isolated network exists when a second preset behavior meeting a set condition exists;
and the processing module 54 is used for processing the attack event.
In one embodiment, the first preset behavior comprises at least one of the following behaviors:
and traversing the behavior of the disk drive letter of the computer equipment, acquiring the behavior of the drive type corresponding to each disk drive letter, and matching the behavior of the disk of the movable type.
In one embodiment, as shown in fig. 6, the polling module 51 includes:
the matching submodule 61 is used for circularly matching the data collected by the EDR service with the data corresponding to the first preset behavior;
and the determining submodule 62 is configured to determine that a first preset behavior for the mobile storage device exists in the isolation network when the matching is successful.
In one embodiment, the second predetermined behavior related to the isolated network includes at least one of the following behaviors:
the method comprises the following steps of reading and writing operation behaviors of specific file types in the mobile storage device, transverse detection behaviors of computer devices in a local area network, traversal scanning behaviors of specific files on the computer, collection behaviors of current host device information and collection behaviors of current host user information.
In one embodiment, the determining module includes:
the first judgment submodule is used for judging whether the number of the second preset behaviors reaches a preset number:
and the first behavior determination submodule is used for determining that the second preset behaviors meeting the set conditions exist when the number of the second preset behaviors reaches the preset number.
In one embodiment, the determining module includes:
the second judgment submodule is used for judging whether the total score of various second preset behaviors appearing in the isolation network reaches a preset score or not;
and the second behavior determination submodule is used for determining that the second preset behaviors meeting the set conditions exist when the total score of all the second preset behaviors appearing in the isolation network reaches the preset score.
In one embodiment, a processing module, comprising:
a sending submodule, configured to send information corresponding to the attack event to a processing device at the local area network outlet, so that the processing device performs at least one of the following processes on the attack event:
blocking treatment, threat positioning, evidence obtaining analysis and Trojan horse deletion.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.

Claims (8)

1. An attack event detection method based on an isolation network is characterized by comprising the following steps:
when the mobile storage equipment runs in an isolation network, polling whether a first preset behavior to the mobile storage equipment exists in the isolation network;
when the isolation network has a first preset behavior for the mobile storage device, judging whether a second preset behavior meeting a set condition exists, wherein the second preset behavior is related to the isolation network, and the set condition comprises that the number of the second preset behavior reaches a preset number or the total score of the second preset behavior reaches a preset score;
when a second preset behavior meeting a set condition exists, determining that an attack event to the isolated network exists;
processing the attack event;
polling whether a first preset behavior for a mobile storage device exists in the isolated network comprises:
circularly matching data collected by the endpoint detection and response service with data corresponding to the first preset behavior;
and when the matching is successful, determining that a first preset behavior for the mobile storage device exists in the isolation network.
2. The method of claim 1, wherein the first predetermined behavior comprises at least one of:
and traversing the behavior of the disk drive letter of the computer equipment, acquiring the behavior of the drive type corresponding to each disk drive letter, and matching the behavior of the disk of the movable type.
3. The method of claim 1, wherein the second predetermined behavior related to the isolated network comprises at least one of:
the method comprises the following steps of reading and writing operation behaviors of specific file types in the mobile storage device, transverse detection behaviors of computer devices in a local area network, traversal scanning behaviors of specific files on the computer, collection behaviors of current host device information and collection behaviors of current host user information.
4. The method according to claim 1 or 3, wherein the determining whether there is a second predetermined behavior meeting a set condition comprises:
judging whether the number of the second preset behaviors reaches a preset number or not;
and when the number of the second preset behaviors reaches the preset number, determining that the second preset behaviors meeting the set conditions exist.
5. The method according to claim 1 or 3, wherein the second predetermined behaviors of different kinds correspond to different scores, and the determining whether the second predetermined behavior meeting the set condition exists comprises:
judging whether the total score of various second preset behaviors appearing in the isolated network reaches a preset score or not;
and when the total score of all second preset behaviors appearing in the isolated network reaches the preset score, determining that the second preset behaviors meeting the set conditions exist.
6. The method of claim 1, wherein the processing the attack event comprises:
sending information corresponding to the attack event to a processing device at an exit of a local area network, so that the processing device performs at least one of the following processes on the attack event:
blocking treatment, threat positioning, evidence obtaining analysis and Trojan horse deletion.
7. An attack event detection device based on an isolation network, comprising:
the polling module is used for polling whether a first preset behavior to the mobile storage device exists in the isolated network when the mobile storage device operates in the isolated network;
the device comprises a judging module, a judging module and a judging module, wherein the judging module is used for judging whether a second preset behavior meeting a set condition exists when a first preset behavior of the mobile storage device exists in an isolation network, the second preset behavior is related to the isolation network, and the set condition comprises that the number of the second preset behavior reaches a preset number or the total score of the second preset behavior reaches a preset score;
the determining module is used for determining that an attack event to the isolated network exists when a second preset behavior meeting a set condition exists;
the processing module is used for processing the attack event;
the polling module comprises:
the matching submodule is used for circularly matching the data collected by the endpoint detection and response service with the data corresponding to the first preset behavior;
and the determining submodule is used for determining that a first preset behavior for the mobile storage device exists in the isolation network when the matching is successful.
8. The apparatus of claim 7, wherein the first predetermined behavior comprises at least one of:
and traversing the behavior of the disk drive letter of the computer equipment, acquiring the behavior of the drive type corresponding to each disk drive letter, and matching the behavior of the disk of the movable type.
CN202011432935.9A 2020-12-07 2020-12-07 Attack event detection method and device based on isolation network Active CN112600825B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011432935.9A CN112600825B (en) 2020-12-07 2020-12-07 Attack event detection method and device based on isolation network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011432935.9A CN112600825B (en) 2020-12-07 2020-12-07 Attack event detection method and device based on isolation network

Publications (2)

Publication Number Publication Date
CN112600825A CN112600825A (en) 2021-04-02
CN112600825B true CN112600825B (en) 2021-12-21

Family

ID=75191418

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011432935.9A Active CN112600825B (en) 2020-12-07 2020-12-07 Attack event detection method and device based on isolation network

Country Status (1)

Country Link
CN (1) CN112600825B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110381082A (en) * 2019-08-07 2019-10-25 北京邮电大学 The attack detection method and device of powerline network based on Mininet
CN111654512A (en) * 2020-08-06 2020-09-11 北京赛宁网安科技有限公司 USB flash disk ferry attack environment simulation device and method applied to network target range

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8621610B2 (en) * 2007-08-06 2013-12-31 The Regents Of The University Of Michigan Network service for the detection, analysis and quarantine of malicious and unwanted files
CN103001937B (en) * 2011-09-19 2015-08-19 珠海市君天电子科技有限公司 The system and method for isolated island formula Ethernet defence mobile memory medium virus
US10372910B2 (en) * 2016-06-20 2019-08-06 Jask Labs Inc. Method for predicting and characterizing cyber attacks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110381082A (en) * 2019-08-07 2019-10-25 北京邮电大学 The attack detection method and device of powerline network based on Mininet
CN111654512A (en) * 2020-08-06 2020-09-11 北京赛宁网安科技有限公司 USB flash disk ferry attack environment simulation device and method applied to network target range

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"物理隔离网络的安全风险研究";宋纯梁等;《计算机工程与设计》;20081231;第29卷(第23期);5943-5946页 *

Also Published As

Publication number Publication date
CN112600825A (en) 2021-04-02

Similar Documents

Publication Publication Date Title
CN110149350B (en) Network attack event analysis method and device associated with alarm log
CN109587179B (en) SSH (Single sign indicating) protocol behavior pattern recognition and alarm method based on bypass network full flow
CN109525558B (en) Data leakage detection method, system, device and storage medium
CN106789935B (en) Terminal abnormity detection method
CN109660539B (en) Method and device for identifying defect-losing equipment, electronic equipment and storage medium
US20100169973A1 (en) System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions
Fedynyshyn et al. Detection and classification of different botnet C&C channels
EP2988468A1 (en) Apparatus, method, and program
CN108650225B (en) Remote safety monitoring equipment, system and remote safety monitoring method
US11700269B2 (en) Analyzing user behavior patterns to detect compromised nodes in an enterprise network
JP2015076863A (en) Log analyzing device, method and program
CN110798427A (en) Anomaly detection method, device and equipment in network security defense
CN113364799B (en) Method and system for processing network threat behaviors
CN113438249B (en) Attack tracing method based on strategy
Ho et al. False positives and negatives from real traffic with intrusion detection/prevention systems
EP3281114A1 (en) Cyber security system and method using intelligent agents
JP4680931B2 (en) Unauthorized access program monitoring processing method, unauthorized access program monitoring program, and unauthorized access program monitoring apparatus
CN111556473A (en) Abnormal access behavior detection method and device
CN112565278A (en) Attack capturing method and honeypot system
EP3331210B1 (en) Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination
CN112217777A (en) Attack backtracking method and equipment
CN112600825B (en) Attack event detection method and device based on isolation network
CN115801305B (en) Network attack detection and identification method and related equipment
CN106850562A (en) A kind of malice peripheral hardware detecting system and method
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant