CN112738126B - Attack tracing method based on threat intelligence and ATT & CK - Google Patents
Attack tracing method based on threat intelligence and ATT & CK Download PDFInfo
- Publication number
- CN112738126B CN112738126B CN202110020451.1A CN202110020451A CN112738126B CN 112738126 B CN112738126 B CN 112738126B CN 202110020451 A CN202110020451 A CN 202110020451A CN 112738126 B CN112738126 B CN 112738126B
- Authority
- CN
- China
- Prior art keywords
- threat
- information
- attack
- att
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The invention discloses an attack tracing method based on threat intelligence and ATT & CK, which is realized by utilizing a label module, a threat intelligence database module, a data preprocessing module and an ATT & CK processing module; based on an application scene, firstly establishing a mapping relation between a label system and a processing rule, presetting a weight coefficient of each attack behavior attribute, and identifying data in a log file by using corresponding data characteristics of the label system; establishing an open source threat information collection and query framework, and automatically collecting threat information from various open resources; from the perspective of an attacker, by combining with the advanced penetration test attack matrix, through tactics, technology and step analysis of the attacker, technical points needing priority processing are identified, and finally, an attack tracing visual report is generated. The invention improves the traditional log data cleaning and single threat information tracing method, improves the information retrieval efficiency according to the preset rule of the label configuration module, and is convenient for information classification and modeling.
Description
Technical Field
The invention relates to the field of computer network security, in particular to an attack tracing method based on threat intelligence and ATT & CK.
Background
Threats are potential factors that can cause damage to a particular target system, asset. As the hacking means is diversified, the method is complicated, the application is diversified, and a large number of uncertain factors exist in the threat. And the Advanced sustainable Threat (APT) has become a network attack means which seriously threatens the government and enterprise data security due to the characteristics of high utilization means, long attack duration period and high attack hazard.
In a real scene, before APT attack causes serious economic loss, the existing defense framework cannot timely and accurately discover the existence of the threat. More importantly, in the disk replication stage after the attack, due to the fact that the attack means is too complex, an attacker fills too much dirty data interference and the like, it is difficult to position the vulnerability in detail and know the detailed attack flow. In addition, many hundreds of G of log data are duplicated, making the tracing process difficult. In general, the following problems exist in the prior art:
firstly, under the actual condition, the false alarm information based on IPS in the real network is numerous every day, and for huge log files, the traditional method still adopts Ip-Time-Process and the like to carry out inefficient log processing and attack behavior screening in the tracing Process, thereby consuming a great deal of Time and labor.
Secondly, threat intelligence information is not always complete and often only contains single or few attacker information, the intention of an attack in the life cycle and the attack flow cannot be closely related in the threat intelligence information, and the attacker information is disordered and brings great difficulty to the tracing process.
Thirdly, an attacker can perform a large amount of detection behaviors before executing the attack behaviors, and even filling dirty data in the attack execution confuses the real attack purpose, which also increases the tracing difficulty.
According to the problems, firstly, a label technology is introduced, the mapping relation between a label system and the threat level is established, the log is preprocessed by using threat information, data information with hidden danger of threat is cleaned and screened out, specific labels are given for different log files under different application scenes with different characteristics, and classification, analysis and management are facilitated.
Threat intelligence often can not connect attack flows tightly in reality, so the invention combines an ATT & CK attacker framework to assist attack tracing and positioning through an advanced penetration test attack matrix (ATT & CK) framework and by knowing the possibly used technology, tactics and program of an opponent according to the existing part of key information. And performing targeted log filtering and scanning, and adding context associated information, thereby enriching attack semantics and perfecting an attacker path.
Aiming at the situation, the invention provides an attack tracing method based on threat intelligence and ATT & CK.
Disclosure of Invention
Aiming at the problems of difficult log data classification, low processing process efficiency, difficult positioning of safety accidents, difficult recovery of paths of attackers, incomplete threat information of attack events and the like in the conventional network security attack tracing technology, the attack tracing method based on the threat information and ATT & CK is provided and is realized by utilizing a label module, a threat information database module, a data preprocessing module and an ATT & CK processing module. Wherein, threat information library module includes outside threat collection submodule, inside threat aggregate analysis submodule, inside threat information library. The ATT & CK processing module comprises an ATT & CK framework analysis submodule, a data processing submodule and a feedback submodule. The label module is connected with the data preprocessing module, the data preprocessing module is respectively connected with the ATT & CK processing module and the threat information database module, and the ATT & CK processing module is connected with the threat information database module. The external threat acquisition submodule is connected with the internal threat information library, the internal threat acquisition submodule is connected with the internal threat aggregation analysis submodule, and the internal threat aggregation analysis submodule is connected with the internal threat information library. The ATT & CK framework analysis submodule is connected with the data processing submodule, and the data processing submodule is connected with the feedback submodule.
The method comprises the following specific steps:
based on an application scene, firstly establishing a mapping relation between a label system and a processing rule, presetting a weight coefficient of each attack behavior attribute, and identifying data in a log file by using corresponding data characteristics of the label system. And aiming at the nature of the threat, identifying the data in the log file through characteristics such as IP (Internet protocol), MD5 identification code, HASH identification code, domain name and the like exposed by the attack behavior.
And collecting internal security threats, and establishing and perfecting an internal threat intelligence library by combining threat intelligence sources shared by all external platforms.
The external threat acquisition submodule is utilized to establish an open source threat information collection and query framework, threat information is automatically collected from various open resources, the network crawler technology and the API interface are utilized to simplify the external collection flow, the rapid collection and sorting of the threat information are realized, the acquired data are stored in an internal threat information library, and a relational database is adopted for storage. The web crawler technology is used for analyzing the web pages and crawling the content of the web pages by utilizing BeautifuleSoup, Requests, Scapy and other libraries in Python aiming at the targets of Twitter, Tor, darknet forum, security portal 360, freebuf, fireeye, MCafee and the like. The method comprises the steps of collecting threat intelligence for an open-source threat intelligence sharing platform and manufacturers by utilizing API interfaces, wherein the threat intelligence comprises AlienVault OTX, GreyNoise, Hunter, MalShare and the like, and the platforms all provide fixed API interfaces to call collected information.
The data source collection is carried out by utilizing an internal threat collection submodule, wherein the data source collection comprises illegal access, unauthorized access, identity authentication and unconventional operation monitored in traditional safety equipment including a firewall, an IDS and an IPS, and the data source collection is carried out by utilizing a sandbox operation mode, a honeypot technology, a DPI technology, a DFI technology, a malicious code detection technology and the like.
And discovering context, scene indexes, attack indexes and attack influences related to a certain threat under a specific trend and situation scene in the whole environment by utilizing an internal threat aggregation analysis submodule, collecting and analyzing established security event information in the process of dealing with the threat, and finally storing an analysis result into an internal threat information library according to a threat information format standard.
After the internal threat information library is established, files needing tracing detection are preprocessed through a data preprocessing module, log files of the files are subjected to preliminary filtering, preprocessed threat information is screened out from the log files through multi-dimensional information such as IP, MD5 identification codes, HASH identification codes, domain names and attack characteristics, corresponding threat weight labels are marked on data in the log files in the data preprocessing process through a label module according to the mapping relation between a preset label system and a processing rule, and corresponding characteristics exposed by the attack behavior are marked through a regular matching label system rule.
And sending the data after passing through the data preprocessing module to an ATT & CK processing module. By utilizing the ATT & CK processing module and combining with an advanced penetration test attack matrix from the perspective of an attacker, technical points needing preferential processing are identified through Tactics, technology and procedure (TTP) analysis on the attacker, and the source tracing accuracy is improved.
And an ATT & CK framework analysis submodule in the ATT & CK processing module analyzes through the ATT & CK and constructs an attacker path model by combining a local network topology environment. The ATT & CK framework analysis submodule contains all possible methods used by an attacker and information such as a passing way, and an attacker attack path model is simulated and established on the basis of the information.
And loading the data output by the data preprocessing module as a new data source into the data processing submodule by utilizing a data processing submodule in the ATT & CK processing module based on the model generated by the analysis submodule, and carrying out gradient processing with priority on the log data according to the label information. And continuing to supplement the information of the attack behavior by using the data processing submodule, wherein the method specifically comprises the following operations: firstly, aiming at more complete excavated attack behaviors, remodeling an attacker path on the basis of the traditional threat information, and enriching the context relationship of the attack behaviors according to the progressive relationship; secondly, aiming at the still incomplete information and the unearthed attack behaviors, the obtained information is subjected to gap filling operation according to a model generated by the analysis submodule, links missing in the attack information are searched, and according to the missing links, log information is collected and filtered again by combining the attack characteristics, the attack areas and other information of the information missing links.
And utilizing a feedback sub-module in the ATT & CK processing module to perform the following operations: firstly, after collecting and organizing the attack path information perfected by the data processing submodule, writing the information into a local threat information library in a specified format, and secondly, generating an attack traceability visualized report which is tightly connected with the context of an attacker.
The invention has the beneficial effects that:
1. the attack tracing method based on threat intelligence and ATT & CK disclosed by the invention is improved on the traditional log data cleaning and single threat intelligence tracing method, rules are preset according to a label configuration module, a method for judging threat weight based on multi-dimensional information is adopted and labels are marked, the label rules are optimized, the information retrieval efficiency is improved, and meanwhile, later-stage information sorting, classification and modeling are facilitated.
2. According to the attack tracing method based on threat intelligence and ATT & CK disclosed by the invention, by establishing a local threat intelligence library and utilizing a mode of combining threat intelligence and a label system, on one hand, the meaningless operations of excessive repeated access, detection, dirty data filling and the like after an attacker is detected are avoided, for example, the attacker forges information such as IP and the like to cause overlarge mark amount and consume system resources; on the other hand, a plurality of attack behaviors with similar threat levels have certain homology or similar attack paths, and the method can greatly reduce the workload.
3. The method of the invention combines ATT & CK and threat information, on one hand, the characteristics of single, incomplete and disorderly threat information can be solved, on the other hand, the threat information can be perfected by establishing a local threat information library, and through local ATT & CK modeling analysis and accurate association attack front and back behaviors, the detection discovery is further promoted, and thus, a closed-loop self-learning and self-updating framework is achieved.
Drawings
Fig. 1 is an overall framework of an implementation system of the present invention.
FIG. 2 is a schematic diagram of the components of the threat intelligence library module.
Detailed Description
For a better understanding of the present disclosure, an example is given here.
An attack tracing method based on threat intelligence and ATT & CK is implemented as follows:
as shown in FIG. 1, the method is implemented by using a label module, a threat intelligence database module, a data preprocessing module and an ATT & CK processing module. Wherein, threat information library module includes outside threat collection submodule, inside threat aggregate analysis submodule, inside threat information library. The ATT & CK processing module comprises an ATT & CK framework analysis submodule, a data processing submodule and a feedback submodule. The label module is connected with the data preprocessing module, the data preprocessing module is respectively connected with the ATT & CK processing module and the threat information database module, and the ATT & CK processing module is connected with the threat information database module. The external threat acquisition submodule is connected with the internal threat information library, the internal threat acquisition submodule is connected with the internal threat aggregation analysis submodule, and the internal threat aggregation analysis submodule is connected with the internal threat information library. The ATT & CK framework analysis submodule is connected with the data processing submodule, and the data processing submodule is connected with the feedback submodule.
Based on an application scene, firstly establishing a mapping relation between a label system and a processing rule, presetting a weight coefficient of each attack behavior attribute, and utilizing the corresponding data characteristics of the label system and identifying data in a log file to standardize and generalize the processing rule. Different from the traditional way of establishing the label index, information is not marked by using a single IP as an identifier, so that the marking amount is overlarge, and the workload is increased. The special structure of the threat intelligence utilizes the characteristics of the threat intelligence, particularly, the characteristics of IP, MD5 identification code, HASH identification code, domain name and the like exposed by the attack behavior are identified according to the threat property, and the identification mode has the advantages that a plurality of attack behaviors with similar threat levels have certain homology at high probability or attack paths are similar, so that the workload can be greatly reduced. The identification rule in the method can also avoid the problem that the quantity of marks is too large and resources are consumed because an attacker forges information such as IP and the like. The tag system threat weights table is shown in table 1.
TABLE 1 Mark-answer system threat weighting table
| Threat weights | Threat intelligence features |
| 1 | (IP, hash, Domain, etc.) is broadly said to have C&C, high risk behavior characteristics of right-lifting and the like |
| 2 | (IP, hash, Domain, etc.) generally refers to behavior features with high risk for command execution, ARP, etc |
| 3 | (IP, hash, Domain, etc.) generally refers to features of intermediate-risk behavior such as having backdoor traffic, bypassing waf |
| 4 | (IP, hash, Domain, etc.) generally refers to behavior features with low risk of detection, scanning, collection, etc |
As shown in fig. 2, the threat intelligence library module includes: the system comprises an external threat acquisition submodule, an internal threat aggregation analysis submodule and an internal threat information library.
And (4) collecting internal security threats, and establishing and perfecting a local threat intelligence library by combining threat intelligence sources shared by all external platforms, so that attack data can be analyzed and traced quickly and efficiently. The local threat intelligence base is established, the threat intelligence can greatly reduce the work in the log retrieval process, wherein the internal security threat collection and arrangement is required to be combined with the shared threat intelligence source of each external platform, so that the most basic local threat intelligence base is perfected.
The external threat acquisition submodule is utilized to establish an open source threat information collection and query framework, threat information is automatically collected from various open resources, the web crawler technology and the API interface are utilized to simplify the external collection flow, and the rapid collection and arrangement of the threat information are realized. The web crawler technology is used for analyzing the web pages and crawling the content of the web pages by utilizing BeautifuleSoup, Requests, Scapy and other libraries in Python aiming at the targets of Twitter, Tor, darknet forum, security portal 360, freebuf, fireeye, MCafee and the like. The method comprises the steps of collecting threat intelligence for an open-source threat intelligence sharing platform and manufacturers by utilizing API interfaces, wherein the threat intelligence comprises AlienVault OTX, GreyNoise, Hunter, MalShare and the like, and the platforms all provide fixed API interfaces to call collected information.
In the method, data collected by an external threat collection submodule are all in a standardized and structured format set by an international threat information standard STIX, and are stored in an internal threat information database, and the collected data represent a series of linked attack behaviors because of the collected data, so that the collected data are stored by adopting a relational database, wherein the relational database comprises Mysql, Msql and the like.
As shown in fig. 2, an internal threat acquisition sub-module is used to collect data sources, on one hand, illegal access, unauthorized access, identity authentication, irregular operation, and the like, which are monitored in conventional security devices represented by firewalls, IDS, IPS, and the like. On the other hand, the method also comprises sandbox execution, honeypot, DPI, DFI, malicious code detection and the like, namely all by collecting traditional detection equipment results or native middleware logs.
And discovering context, scene indexes, attack indexes and attack influences related to a certain threat under a specific trend and situation scene in the whole environment by utilizing an internal threat aggregation analysis submodule, collecting and analyzing established security event information in the process of dealing with the threat, and finally storing an analysis result into an internal threat information library according to a threat information format standard. The internal threat aggregation analysis submodule performs collation according to the STIX threat intelligence structured format.
After the internal threat information library is established, a data preprocessing module is used for preprocessing files needing tracing detection, log files of the files are preliminarily filtered, preprocessed threat information is screened out from the log files through multi-dimensional information such as IP, MD5 identification codes, HASH identification codes, domain names and attack characteristics, log information with threat hidden dangers is accordingly greatly simplified, analyzed and filtered log information has high TPR (true Positive Rate), meanwhile, a label module is used for marking corresponding threat weight labels on data in the log files in the data preprocessing process according to the mapping relation between a preset label system and a processing rule, and corresponding characteristics exposed by attack behaviors are marked by regularly matching label system rules. Based on threat weight classification, the method is convenient for post-tracing processing and identification, and final analysis and summarization.
Sending the data after passing through the data preprocessing module into ATT&CK processing module at ATT&Before the CK module processes, threat intelligence contains information which is not necessarily complete, and the threat intelligence is usually recorded only aiming at the attack characteristics of a certain organization in a certain time period. The threat intelligence is independently utilized to process and extract data, so that the data result is single and cannot be well related to each attack behavior. Using ATT&The CK processing module is used for identifying technical points needing preferential processing by combining with an advanced penetration test attack matrix and analyzing Tactics, technologies and Procedures (TTP) of an attacker from the perspective of the attacker, and the tracing accuracy is improved. MITER
Is a globally accessible knowledge base of tactics and techniques based on observations of the real world. ATT (automatic transfer terminal)&The CK knowledge base is used as the basis for private sector, government sector, and development of network security product and service domain specific threat models and methods. ATT (automatic transfer terminal)&CK is open, anyPeople or organizations can use the system for free.
And an ATT & CK framework analysis submodule in the ATT & CK processing module analyzes through the ATT & CK and constructs an attacker path model by combining a local network topology environment. The ATT & CK framework analysis submodule contains all possible methods used by an attacker and information such as a passing way, and an attacker attack path model is simulated and established on the basis of the information. Based on the attacker angle, the attack path is from Initial Access, Execution, Persistence, software implementation, feedback event, creation Access, Discovery, target Movement, Collection, Command and Control and Execution.
The attacker attack path model processes and models by using an NLP method in AI, threat information comprises Chinese and English texts, videos, audios, bit streams or other complex format information, text classification, part of speech tagging, syntactic analysis, information retrieval, information extraction, system question answering and machine translation are carried out by using the NLP method and combining ATT & CK, models are built step by step, and finally data output by the data preprocessing module is loaded into the data processing submodule as a new data source. After the data processing submodule reads the tags, the data are subjected to gradient processing with priority according to the written tag values, wherein attacks with the same threat level generally easily have similar attack characteristics, and similar threat levels are convenient to classify and summarize for similar attack behaviors. Threat intelligence is some evidence-based knowledge, including context, mechanism, label, meaning, and actionable advice, that is relevant to a threat or hazard that an asset is exposed to, and that can be used to provide information support for the asset-related subject's response to or handling decisions about the threat or hazard. All data is threat intelligence if it represents some behavior with threat implications. And analyzing the originally isolated data from the inside to extract data with threat meaning, wherein the extracted information is threat information.
And loading the data output by the data preprocessing module as a new data source into the data processing submodule by utilizing a data processing submodule in the ATT & CK processing module based on the model generated by the analysis submodule, and carrying out gradient processing with priority on the log data according to the label information. Attacks with the same threat level generally have the same attack characteristics more easily, and the source tracing process is more favorably simplified. And continuing to supplement the information of the attack behavior by using the data processing submodule, wherein the method specifically comprises the following operations: : firstly, aiming at more complete excavated attack behaviors, remodeling an attacker path on the basis of the traditional threat information, and enriching the context relationship of the attack behaviors according to the progressive relationship; secondly, aiming at the still incomplete information and the unearthed attack behaviors, the obtained information is subjected to gap filling operation according to a model generated by the analysis submodule, links missing in the attack information are searched, and according to the missing links, log information is collected and filtered again by combining the attack characteristics, the attack areas and other information of the information missing links.
And utilizing a feedback sub-module in the ATT & CK processing module to perform the following operations: firstly, after collecting and organizing the attack path information perfected by the data processing submodule, writing the information into a local threat information library in a specified format, and secondly, generating an attack traceability visualized report which is tightly connected with the context of an attacker. The tracing result is more closely related to the behavior of an attacker on the basis of the traditional tracing, and the attack behavior is captured more completely.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (3)
1. An attack tracing method based on threat intelligence and ATT & CK is characterized in that the attack tracing method is realized by utilizing a label module, a threat intelligence database module, a data preprocessing module and an ATT & CK processing module; the threat information library module comprises an external threat acquisition submodule, an internal threat aggregation analysis submodule and an internal threat information library; the ATT & CK processing module comprises an ATT & CK frame analysis submodule, a data processing submodule and a feedback submodule;
the method comprises the following specific steps:
based on an application scene, firstly establishing a mapping relation between a label system and a processing rule, presetting a weight coefficient of each attack behavior attribute, and identifying data in a log file by using corresponding data characteristics of the label system; aiming at the threat property, identifying data in the log file through the IP, the MD5 identification code, the HASH identification code and the domain name characteristics exposed by the attack behavior;
collecting internal security threats, and establishing and perfecting an internal threat information library by combining threat information sources shared by external platforms;
establishing an open source threat information collection and query framework by utilizing an external threat acquisition submodule, automatically collecting threat information from various open resources, simplifying an external collection flow by utilizing a web crawler technology and an API (application program interface), realizing rapid collection and sorting of the threat information, storing acquired data into an internal threat information library, and storing by adopting a relational database;
collecting data sources by using an internal threat collection submodule;
utilizing an internal threat aggregation analysis submodule to find context, scene indexes, attack indexes and attack influences related to a certain threat under a specific trend and situation scene in the whole environment, collecting and analyzing established security event information in the process of dealing with the threat, and finally storing an analysis result into an internal threat information library according to a threat information format standard;
after the internal threat information library is established, a data preprocessing module is used for preprocessing a log file needing tracing detection, the log file is subjected to preliminary filtering, log information with threat hidden danger is screened out from the log file through IP, MD5 identification codes, HASH identification codes, domain names and attack characteristic multidimensional information of the preprocessed log file, meanwhile, a label module is used for marking corresponding threat weight labels on data in the log file in the data preprocessing process according to the mapping relation between a preset label system and a processing rule, and corresponding characteristics exposed by attack behaviors are marked through a regular matching label system rule;
sending the data after passing through the data preprocessing module into an ATT & CK processing module; identifying technical points needing preferential treatment by combining an ATT & CK processing module and an advanced penetration test attack matrix from the perspective of an attacker through tactics, technology and step analysis of the attacker;
an ATT & CK framework analysis submodule in the ATT & CK processing module analyzes through the ATT & CK and constructs an attacker path model by combining a local network topology environment;
loading data output by the data preprocessing module as a new data source into the data processing submodule by using a data processing submodule in the ATT & CK processing module based on a model generated by the analysis submodule, and performing gradient processing with priority on the log data according to the label information; continuously performing information supplement on the attack behavior by using the data processing submodule;
and utilizing a feedback sub-module in the ATT & CK processing module to perform the following operations: firstly, after collecting and sorting attack path information perfected by a data processing submodule, writing the information into an internal threat information library of a threat information library module in a specified format, and secondly, generating an attack traceability visualized report which is tightly connected with context at the angle of an attacker;
the data source collection is carried out by utilizing an internal threat acquisition submodule,
the method comprises the steps of monitoring illegal access, unauthorized access, identity authentication and unconventional operation in traditional safety equipment including a firewall, an IDS (intrusion detection system) and an IPS (intrusion detection system), and collecting data sources by utilizing a sandbox operation mode, a honeypot technology, a DPI (deep packet inspection) technology, a DFI (distributed denial of service) technology and a malicious code detection technology;
the ATT & CK framework analysis submodule comprises all methods possibly used by an attacker and passing path information, and an attacker attack path model is simulated and established on the basis of the method;
and continuing to supplement the information of the attack behavior by using the data processing submodule, and specifically performing the following operations: firstly, aiming at more complete excavated attack behaviors, remodeling an attacker path on the basis of the traditional threat information, and enriching the context relationship of the attack behaviors according to the progressive relationship; secondly, aiming at the still incomplete information and the unearthed attack behaviors, the obtained information is subjected to gap filling operation according to a model generated by the analysis submodule, a link missing the attack information is searched, and according to the missing link, the log information is collected and filtered again by combining the attack characteristics, the attack characteristics and the attack area information of the information missing link.
2. The attack tracing method based on threat intelligence and ATT & CK of claim 1, characterized in that the tag module is connected with a data preprocessing module, the data preprocessing module is respectively connected with the ATT & CK processing module and the threat intelligence database module, and the ATT & CK processing module is connected with the threat intelligence database module; the external threat acquisition submodule is connected with the internal threat information library, the internal threat acquisition submodule is connected with the internal threat aggregation analysis submodule, and the internal threat aggregation analysis submodule is connected with the internal threat information library; the ATT & CK framework analysis submodule is connected with the data processing submodule, and the data processing submodule is connected with the feedback submodule.
3. The attack tracing method based on threat intelligence and ATT & CK as claimed in claim 1, characterized in that the external collection process is simplified by using web crawler technology and API interface to realize rapid collection and sorting of threat intelligence, wherein the web crawler technology is used for webpage parsing and page content crawling by using BeautifuleSoup, Requests and script libraries in Pyrton aiming at Twitter, Tor, darknet forum, security portal 360, freebuf, fireeye and MCafee targets; the method comprises the steps of collecting threat intelligence for an open-source threat intelligence sharing platform and manufacturers by utilizing an API (application programming interface), wherein the threat intelligence sharing platform comprises an AlienVault OTX, a GreyNoise, a Hunter and a MalShare, and the platform provides a fixed API to call and collect information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110020451.1A CN112738126B (en) | 2021-01-07 | 2021-01-07 | Attack tracing method based on threat intelligence and ATT & CK |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110020451.1A CN112738126B (en) | 2021-01-07 | 2021-01-07 | Attack tracing method based on threat intelligence and ATT & CK |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112738126A CN112738126A (en) | 2021-04-30 |
| CN112738126B true CN112738126B (en) | 2021-09-14 |
Family
ID=75589628
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110020451.1A Active CN112738126B (en) | 2021-01-07 | 2021-01-07 | Attack tracing method based on threat intelligence and ATT & CK |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738126B (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113609234B (en) * | 2021-06-17 | 2023-08-29 | 国家计算机网络与信息安全管理中心 | Method and system for constructing network entity behavior association |
| CN113779574B (en) * | 2021-08-09 | 2024-02-27 | 浙江工业大学 | APT detection method based on context behavior analysis |
| CN113642005B (en) * | 2021-08-17 | 2023-07-21 | 安天科技集团股份有限公司 | Defensive evaluation method, device, equipment and medium for safety protection product |
| CN113726803B (en) * | 2021-09-02 | 2023-02-07 | 重庆邮电大学 | Internet of things terminal threat detection method based on ATT & CK matrix mapping |
| CN113810395B (en) * | 2021-09-06 | 2023-06-16 | 安天科技集团股份有限公司 | Threat information detection method and device and electronic equipment |
| CN113992371B (en) * | 2021-10-18 | 2023-08-18 | 安天科技集团股份有限公司 | Threat label generation method and device for traffic log and electronic equipment |
| CN114070629B (en) * | 2021-11-16 | 2023-10-20 | 南京南瑞信息通信科技有限公司 | Security arrangement and automatic response method, device and system for APT attack |
| CN113965412A (en) * | 2021-11-22 | 2022-01-21 | 国家电网公司华中分部 | Method for analyzing and aggregating system of honeypot attack stage |
| CN114205128A (en) * | 2021-12-01 | 2022-03-18 | 北京安天网络安全技术有限公司 | Network attack analysis method and device, electronic equipment and storage medium |
| CN114338118A (en) * | 2021-12-22 | 2022-04-12 | 北京未来智安科技有限公司 | Threat detection method and device based on ATT & CK |
| CN114422257A (en) * | 2022-01-24 | 2022-04-29 | 中国工商银行股份有限公司 | Information processing method, device, equipment and medium |
| CN114666157A (en) * | 2022-04-14 | 2022-06-24 | 西安邮电大学 | Block chain cross-chain threat information sharing system and method |
| CN116756272B (en) * | 2023-06-20 | 2024-02-23 | 广州大学 | ATT & CK model mapping method and device for Chinese threat report |
| CN117040932B (en) * | 2023-10-09 | 2024-04-02 | 国网思极网安科技(北京)有限公司 | Rapid evidence obtaining method and system for tracing network attack |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| US10630726B1 (en) * | 2018-11-18 | 2020-04-21 | Bank Of America Corporation | Cybersecurity threat detection and mitigation system |
| US11277432B2 (en) * | 2018-12-03 | 2022-03-15 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
| CN110430190B (en) * | 2019-08-05 | 2022-08-02 | 北京经纬信安科技有限公司 | Deception defense system based on ATT & CK, construction method and full link defense realization method |
| CN111259204B (en) * | 2020-01-13 | 2023-04-11 | 深圳市联软科技股份有限公司 | APT detection correlation analysis method based on graph algorithm |
| CN111565205B (en) * | 2020-07-16 | 2020-10-23 | 腾讯科技(深圳)有限公司 | Network attack identification method and device, computer equipment and storage medium |
-
2021
- 2021-01-07 CN CN202110020451.1A patent/CN112738126B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112738126A (en) | 2021-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112738126B (en) | Attack tracing method based on threat intelligence and ATT & CK | |
| CN106411578B (en) | A kind of web publishing system and method being adapted to power industry | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108683687B (en) | Network attack identification method and system | |
| CN108881263B (en) | Network attack result detection method and system | |
| US20180309772A1 (en) | Method and device for automatically verifying security event | |
| CN107688743B (en) | Malicious program detection and analysis method and system | |
| CN108833185B (en) | Network attack route restoration method and system | |
| CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
| CN111953697B (en) | APT attack recognition and defense method | |
| CN110912889A (en) | Network attack detection system and method based on intelligent threat intelligence | |
| CN110362996B (en) | Method and system for offline detection of PowerShell malicious software | |
| CN114070629A (en) | Safety arrangement and automatic response method, device and system for APT (advanced persistent threat) attack | |
| Lovanshi et al. | Comparative study of digital forensic tools | |
| Esposito et al. | Evaluating pattern recognition techniques in intrusion detection systems | |
| CN117454376A (en) | Industrial Internet data security detection response and tracing method and device | |
| CN114090406A (en) | Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium | |
| CN112565278A (en) | Attack capturing method and honeypot system | |
| CN113746832B (en) | Multi-method mixed distributed APT malicious flow detection defense system and method | |
| CN111611590B (en) | Method and device for data security related to application program | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| Sadeghpour et al. | Unsupervised ml based detection of malicious web sessions with automated feature selection: Design and real-world validation | |
| Teoh et al. | Analyst intuition inspired high velocity big data analysis using PCA ranked fuzzy k-means clustering with multi-layer perceptron (MLP) to obviate cyber security risk | |
| Mei et al. | CTScopy: hunting cyber threats within enterprise via provenance graph-based analysis | |
| Wang et al. | Network attack detection based on domain attack behavior analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |