CN112948821A - APT detection early warning method - Google Patents
APT detection early warning method Download PDFInfo
- Publication number
- CN112948821A CN112948821A CN202110385616.5A CN202110385616A CN112948821A CN 112948821 A CN112948821 A CN 112948821A CN 202110385616 A CN202110385616 A CN 202110385616A CN 112948821 A CN112948821 A CN 112948821A
- Authority
- CN
- China
- Prior art keywords
- fingerprints
- information
- malicious programs
- unknown
- unknown malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 41
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000004088 simulation Methods 0.000 claims abstract description 25
- 238000004519 manufacturing process Methods 0.000 claims abstract description 17
- 238000009792 diffusion process Methods 0.000 claims abstract description 8
- 230000006399 behavior Effects 0.000 claims description 21
- 238000005516 engineering process Methods 0.000 claims description 14
- 230000011664 signaling Effects 0.000 claims description 11
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 230000007123 defense Effects 0.000 claims description 9
- 238000013515 script Methods 0.000 claims description 9
- 230000001939 inductive effect Effects 0.000 claims description 6
- 208000015181 infectious disease Diseases 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 230000004807 localization Effects 0.000 claims description 5
- 230000006870 function Effects 0.000 claims description 4
- 238000003860 storage Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 238000010219 correlation analysis Methods 0.000 claims description 3
- 238000013461 design Methods 0.000 claims description 3
- 238000011161 development Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 235000012907 honey Nutrition 0.000 claims description 3
- 230000006798 recombination Effects 0.000 claims description 3
- 238000005215 recombination Methods 0.000 claims description 3
- 238000009776 industrial production Methods 0.000 abstract description 2
- 238000004458 analytical method Methods 0.000 description 19
- 230000002159 abnormal effect Effects 0.000 description 10
- 244000035744 Hura crepitans Species 0.000 description 6
- 230000002155 anti-virotic effect Effects 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 101001094649 Homo sapiens Popeye domain-containing protein 3 Proteins 0.000 description 1
- 101000608234 Homo sapiens Pyrin domain-containing protein 5 Proteins 0.000 description 1
- 101000578693 Homo sapiens Target of rapamycin complex subunit LST8 Proteins 0.000 description 1
- 102100027802 Target of rapamycin complex subunit LST8 Human genes 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000005474 detonation Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an APT detection early warning method, which is characterized in that fine-grained information such as hardware fingerprints, system fingerprints, production and service fingerprints, network fingerprints and the like of an industrial controller is accurately acquired in an industrial control environment, honeypots of a high-simulation industrial controller are designed and constructed by using a virtual machine, the honeypots form a high-simulation honeynet and are deployed in the industrial production environment under the virtual environment, passive trapping of unknown malicious programs is achieved, execution of the unknown malicious programs is captured, behavior characteristics of the unknown malicious programs are captured to form samples, then diffusion propagation paths of the unknown malicious programs are actively tracked according to the captured samples, and accurate positioning of sources and purposes of the unknown malicious programs is achieved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an APT detection early warning method.
Background
The unknown malicious program has extremely strong damage or control capability for key equipment in the industrial control system, and has the characteristics of strong concealment, high intelligence, clear damage target and the like. The anti-virus device also has the characteristics of immunity to antivirus software and capability of propagating and diffusing through media such as compact discs, U discs, wireless media, RS232 serial ports, RJ45 network cables and the like. The uncontrollable passive situation that damage to unknown malicious programs is difficult to identify and detect, difficult to locate, lack of searching and killing means and the like is caused. The invention provides a related technical scheme for effectively identifying, detecting and positioning unknown malicious programs by building a high-simulation trapping model based on fine-grained fingerprint code acquisition and aiming at the problems that key equipment in an industrial control environment runs safely and crudely and the troublesome threat of unknown malicious programs is difficult to identify, detect and position and the searching and killing means are lost.
Disclosure of Invention
The invention aims to provide an APT detection early warning method for effectively identifying, detecting and positioning unknown malicious programs aiming at the defects of the prior art.
In order to solve the problems, the technical scheme adopted by the invention is as follows:
an APT detection early warning method comprises the following steps,
the method comprises the following steps: collecting hardware fingerprints, system fingerprints, production and service fingerprints and network fingerprints in an industrial control environment;
step two: designing and constructing a high-simulation honeypot and a honeynet;
step three: identification, detection and localization of known and unknown malware threats;
step four: and constructing a model for actively defending unknown malicious programs, Zero Day and other malicious attacks.
The further technical scheme is that the acquisition of the hardware fingerprint, the system fingerprint, the production and service fingerprint and the network fingerprint in the industrial control environment specifically comprises the following steps:
hardware fingerprints such as mainboard information, processing chip information, memory information, storage medium information, hardware interface information and the like of industrial control key equipment are collected by compiling a SHELL script;
collecting system fingerprints such as industrial control system types, versions, known vulnerability information, patch information and the like through an existing industrial control vulnerability scanner;
the method comprises the steps that a Shell script is compiled, and Wireshark is used for collecting production and service fingerprints such as signaling link data online information, signaling data information, remote authentication information, signaling recombination information, production instruction information, data message information and package information in a GSM communication network;
network fingerprints such as wireless networks (AP, wireless types, manufacturers, equipment types, states, regions, machine names, signal strength, IP addresses, MAC addresses, Rx/Tx and the like), industrial control protocols (CANBUS, MODBUS, Profibus, PLC, SLC, OPC, MMS, WICN and the like), virtual data centers, global network states and the like in the whole network are analyzed and collected by compiling SHELL scripts.
The further technical scheme is that the design and construction of the high-simulation honeypot and the honeynet specifically comprise the following steps: establishing simulation operating systems such as Vxworks, Linux, SylixOS, PSOS and the like in a virtual machine by using hardware fingerprints and system fingerprint information acquired at fine granularity; and (3) constructing a Codesys industrial control development environment, a virtual switching system and a simulation honey net by using the production and service fingerprints and the network fingerprint information.
The further technical scheme is that the identification, detection and positioning of the known and unknown malicious program threats specifically comprise: deploying high-simulation honeypots and honeynets in an industrial control environment, simulating real industrial control key equipment, recognizing the high-simulation honeypots and honeynets as diffusion and infection targets and executing by unknown malicious programs when the unknown malicious programs scan and find the infected targets, passively capturing malicious codes of the unknown malicious programs through behavior anomaly detection, and extracting samples;
in a designed and constructed honeypot and a honeynet, simulating manual operation on a mouse, a keyboard, a control switch, an industrial rocker and the like, actively inducing unknown malicious programs to diffuse and execute to the honeypot and the honeynet, and finishing capturing characteristics (data flow direction rule abnormal behaviors, abnormal heartbeat signals, abnormal scanning behaviors, abnormal baseline flow, abnormal sniffing behaviors, abnormal signaling or signals and the like) of the known and unknown malicious programs through passive capturing and active inducing to finish accurate malicious code recognition and extracting samples of the known and unknown malicious programs;
and performing behavior correlation analysis on the captured unknown malicious codes of the malicious programs and performing reverse tracing to find an infection source of the unknown malicious programs, tracking the diffusion paths of the unknown malicious programs through the extracted samples, and accurately identifying the next target which is transmitted and infected, thereby completing accurate positioning.
The further technical scheme is that the establishment of the active defense model for the unknown malicious programs, the Zero Day and other malicious attack models is based on association rules, and the hidden unknown malicious program attack behaviors are reasoned; adopting an attack behavior reasoning technology based on Clustering and a knowledge base, firstly simplifying repeated or similar logs by a Clustering method based on density, Clustering by most of dividing methods based on the distance between objects, and generating an accurate and ordered data set cluster by adopting an OPTIC (ordering Points To Identify the Clustering structure) algorithm;
the constructed active defense model carries out protocol detection on the received data packet, calls a protocol identification function to carry out protocol identification, calls different decoding modules according to different types for specific protocols, deeply detects the content of the data stream, and then carries out packet filtering on the data stream; the active defense model compares the data packets according to predefined rules, and accepts, blocks or discards the filtered content according to the comparison and reference thickness granularity and algorithm.
Adopt the produced beneficial effect of above-mentioned technical scheme to lie in:
in an industrial control environment, fine-grained information such as hardware fingerprints, system fingerprints, production and service fingerprints, network fingerprints and the like of an industrial controller are accurately acquired, a honeypot of a high-simulation industrial controller is designed and constructed by using a virtual machine, the honeypot forms a high-simulation honeynet and is deployed in the industrial production environment under the virtual environment, passive trapping of unknown malicious programs is achieved, behavior characteristics of the unknown malicious programs are captured to form samples, then diffusion propagation paths of the unknown malicious programs are actively tracked according to the captured samples, and accurate positioning of sources and purposes of the unknown malicious programs is achieved.
Drawings
Fig. 1 is a schematic diagram of the principle of the present invention.
Detailed Description
The following examples further describe embodiments of the present invention in detail. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
The invention relates to an APT detection early warning method, which comprises the following steps,
the method comprises the following steps: collecting hardware fingerprints, system fingerprints, production and service fingerprints and network fingerprints in an industrial control environment; the acquisition of hardware fingerprints, system fingerprints, production and service fingerprints and network fingerprints in the industrial control environment specifically comprises the following steps:
hardware fingerprints such as mainboard information, processing chip information, memory information, storage medium information, hardware interface information and the like of industrial control key equipment are collected by compiling a SHELL script;
collecting system fingerprints such as industrial control system types, versions, known vulnerability information, patch information and the like through an existing industrial control vulnerability scanner;
the method comprises the steps that a Shell script is compiled, and Wireshark is used for collecting production and service fingerprints such as signaling link data online information, signaling data information, remote authentication information, signaling recombination information, production instruction information, data message information and package information in a GSM communication network;
network fingerprints such as wireless networks (AP, wireless types, manufacturers, equipment types, states, regions, machine names, signal strength, IP addresses, MAC addresses, Rx/Tx and the like), industrial control protocols (CANBUS, MODBUS, Profibus, PLC, SLC, OPC, MMS, WICN and the like), virtual data centers, global network states and the like in the whole network are analyzed and collected by compiling SHELL scripts.
Step two: designing and constructing a high-simulation honeypot and a honeynet; the design and construction of the high-simulation honeypot and the honeynet specifically comprise the following steps: establishing simulation operating systems such as Vxworks, Linux, SylixOS, PSOS and the like in a virtual machine by using hardware fingerprints and system fingerprint information acquired at fine granularity; and (3) constructing a Codesys industrial control development environment, a virtual switching system and a simulation honey net by using the production and service fingerprints and the network fingerprint information.
Step three: identification, detection and localization of known and unknown malware threats; the identification, detection and localization of known and unknown malicious program threats are specifically: deploying high-simulation honeypots and honeynets in an industrial control environment, simulating real industrial control key equipment, recognizing the high-simulation honeypots and honeynets as diffusion and infection targets and executing by unknown malicious programs when the unknown malicious programs scan and find the infected targets, passively capturing malicious codes of the unknown malicious programs through behavior anomaly detection, and extracting samples;
in a designed and constructed honeypot and a honeynet, simulating manual operation on a mouse, a keyboard, a control switch, an industrial rocker and the like, actively inducing unknown malicious programs to diffuse and execute to the honeypot and the honeynet, and finishing capturing characteristics (data flow direction rule abnormal behaviors, abnormal heartbeat signals, abnormal scanning behaviors, abnormal baseline flow, abnormal sniffing behaviors, abnormal signaling or signals and the like) of the known and unknown malicious programs through passive capturing and active inducing to finish accurate malicious code recognition and extracting samples of the known and unknown malicious programs;
and performing behavior correlation analysis on the captured unknown malicious codes of the malicious programs and performing reverse tracing to find an infection source of the unknown malicious programs, tracking the diffusion paths of the unknown malicious programs through the extracted samples, and accurately identifying the next target which is transmitted and infected, thereby completing accurate positioning.
Step four: and constructing a model for actively defending unknown malicious programs, Zero Day and other malicious attacks. The establishment of the active defense model against malicious attacks such as unknown malicious programs, Zero Day and the like is based on the association rule, and the hidden attack behavior of the unknown malicious programs is inferred; adopting an attack behavior reasoning technology based on Clustering and a knowledge base, firstly simplifying repeated or similar logs by a Clustering method based on density, Clustering by most of dividing methods based on the distance between objects, and generating an accurate and ordered data set cluster by adopting an OPTIC (ordering Points To Identify the Clustering structure) algorithm;
the constructed active defense model carries out protocol detection on the received data packet, calls a protocol identification function to carry out protocol identification, calls different decoding modules according to different types for specific protocols, deeply detects the content of the data stream, and then carries out packet filtering on the data stream; the active defense model compares the data packets according to predefined rules, and accepts, blocks or discards the filtered content according to the comparison and reference thickness granularity and algorithm.
Carrying out static detection on the known threat through a built-in next generation intrusion detection engine, a Multi-AV antivirus engine and a threat information detection technology; detecting the variant of the malicious code by combining a gene map detection technology with an intelligent detection technology to prevent escape and evasion (AET); unknown threats are detected by deeply analyzing host behaviors and network behaviors of malicious codes in the sandbox.
The genetic atlas detection technology is used for mapping malicious codes into uncompressed gray-scale images by combining an image texture analysis technology and a malicious code variation detection technology, partitioning the images based on a texture segmentation algorithm, extracting texture features of each partition by using a gray-scale co-occurrence matrix algorithm, and taking the texture features as texture fingerprints of the malicious codes; then, a texture fingerprint index structure is established by using the texture fingerprint of the sample;
in the detection stage, unknown malicious codes and variants thereof are detected by using a comprehensive multi-segmented texture fingerprint similarity matching algorithm through a malicious code segmented texture fingerprint generation strategy. The method based on image mapping can effectively avoid anti-tracking, anti-reverse logic and other common code confusion strategies. Moreover, the method can effectively detect malicious code packaged by using a specific packaging tool.
Comprehensive Sandbox analysis and intrusion Indicator (IOC) confirmation technology, functions of various files and contents are operated (behavior activation/content 'detonation') in a Sandbox (Sandbox), intrusion indicators in a virtual machine are observed, and unknown threats are identified; the network detection and the file detection are carried out synchronously, an information sharing mechanism is adopted, a detection ecological circle is constructed, and an attack chain is accurately and quickly mastered so as to further take relevant measures to prevent the APT attack from being in a sprouting state.
The system relies on strong threat information collecting and analyzing capability, learns about security threats existing in the network in advance, pushes the threat information to be used by a client, combines software and hardware equipment locally deployed by the client, can realize early and rapid discovery on malicious behaviors of unknown threats, can accurately position a victim target and an attack source, and finally achieves research, judgment and tracing on an intrusion path and an attacker background.
The invention also comprises an APT detection early warning system which mainly comprises four parts, namely threat information, an analysis platform, a fingerprint collector and a high-interaction honeypot.
1. Threat intelligence
Threat intelligence comes from the analysis result of a threat intelligence center, and the APT attack, the attacker background, the novel Trojan horse, the special Trojan horse and the like are regularly described. Relying on rich data at the cloud, through an automatic data analysis processing technology based on machine learning, relying on top research resources as technical support, carrying out manual intervention on all unknown threats analyzed by big data, carrying out fine analysis, confirming attack means, attacking objects and attacking purposes, restoring a plurality of dimensional characteristics of an attacker through data association analysis, including program forms, homologous Trojan programs with different coding styles and different attack principles, malicious servers (C & C) and the like, continuously discovering the unknown threats by tracking the attacker through holomorphic characteristics, finally ensuring the accuracy of the discovered unknown threats and generating threat information for a user local analysis platform to use
2. Fingerprint collector
The fingerprint sensor is mainly responsible for collecting and restoring the image file of the network flow, the restored flow log can be encrypted and transmitted to the analysis platform, and the PE and non-PE files in the flow image are restored and then encrypted and transmitted to the dynamic sandbox for detection. The fingerprint collector decodes the network flow to restore real flow, extracts the head information of a network layer, a transmission layer and an application layer, even important load information, and transmits the information to the analysis platform through an encryption channel for uniform processing. The multi-protocol analysis module applied in the traffic collector can support high-performance analysis of main stream protocols such as HTTP (web page), SMTP/POP3 (mail) and the like under the IPv4/IPv6 network environment.
3. Analysis platform
The analysis platform is used for storing flow logs submitted by the sensors and alarm logs submitted by the dynamic sandbox, can quickly process all data and provide support for retrieval, and can be associated with threat information or other alarms to help further analysis so as to effectively backtrack and position attacks. The analysis platform undertakes the work of storing, preprocessing and retrieving all data. Because the traditional relational database is slow to query related data due to the frequent performance deficiency when a large amount of data is stored, a data retrieval module at the bottom layer of the analysis platform adopts a distributed computing and search engine technology to process all data.
4. High-interaction honeypot
The high-interaction honeypot is used for carrying out advanced threat detection on the files, the high-interaction honeypot can receive and restore a large number of PE and non-PE files from the collector, and a series of signature-free detection modes such as a simulation environment are used for discovering complex threats which cannot be discovered by traditional security equipment. And the related alarms on the high-interaction honeypots can be sent to an analysis platform to realize the unified management and the subsequent further analysis of the alarms.
In the invention
The threat traceability capability is effectively improved through full-flow collection and analysis, network flow is subjected to centralized storage and reduction analysis through a bypass deployment mode, network operation conditions are comprehensively recorded, complete and comprehensive network operation data are provided for the threat traceability of a user when a security event occurs or a security alarm occurs, and the correct judgment of the user is helped.
The high-interaction honeypot technology is introduced to enhance the unknown malicious software discovery capability, the high-interaction honeypot technology is introduced for unknown malicious software and a large number of malicious software varieties, the malicious software is detonated by constructing a simulation environment, the capability of a product in the aspect of unknown malicious software discovery is enhanced, and an important loop of APT attack is cut off.
And the threat report is used for improving the APT attack detection capability, and the trace of APT attack in the network is found through the collision of the threat report and the network flow. Context information and attack index information with rich threat intelligence are used for matching current network flow, conditions such as unknown malicious software and unknown vulnerability utilization are effectively found, and then APT attack detection is achieved.
Application of threat visualization reduces security event response and handling difficulties. The security event and the alarm are visually displayed in a visual mode, a user can directly realize the rapid positioning and rapid disposal of the threat without processing a large number of security log alarms in threat tracing and security investigation, and the security event and disposal difficulty are reduced.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (5)
1. An APT detection early warning method is characterized by comprising the following steps,
the method comprises the following steps: collecting hardware fingerprints, system fingerprints, production and service fingerprints and network fingerprints in an industrial control environment;
step two: designing and constructing a high-simulation honeypot and a honeynet;
step three: identification, detection and localization of known and unknown malware threats;
step four: and constructing a model for actively defending unknown malicious programs, Zero Day and other malicious attacks.
2. The APT detection early warning method according to claim 1, wherein the collecting of hardware fingerprints, system fingerprints, production and service fingerprints and network fingerprints in the industrial control environment specifically comprises:
hardware fingerprints such as mainboard information, processing chip information, memory information, storage medium information, hardware interface information and the like of industrial control key equipment are collected by compiling a SHELL script;
collecting system fingerprints such as industrial control system types, versions, known vulnerability information, patch information and the like through an existing industrial control vulnerability scanner;
the method comprises the steps that a Shell script is compiled, and Wireshark is used for collecting production and service fingerprints such as signaling link data online information, signaling data information, remote authentication information, signaling recombination information, production instruction information, data message information and package information in a GSM communication network;
network fingerprints such as wireless networks, industrial control protocols, virtual data centers, global network states and the like in the whole network are analyzed and collected by compiling SHELL scripts.
3. The APT detection early warning method according to claim 1, wherein the design and construction of the high-simulation honeypot and the honeynet specifically comprises: establishing simulation operating systems such as Vxworks, Linux, SylixOS, PSOS and the like in a virtual machine by using hardware fingerprints and system fingerprint information acquired at fine granularity; and (3) constructing a Codesys industrial control development environment, a virtual switching system and a simulation honey net by using the production and service fingerprints and the network fingerprint information.
4. The APT detection and early warning method according to claim 1, wherein the identification, detection and localization of known and unknown malware threats are specifically: deploying high-simulation honeypots and honeynets in an industrial control environment, simulating real industrial control key equipment, recognizing the high-simulation honeypots and honeynets as diffusion and infection targets and executing by unknown malicious programs when the unknown malicious programs scan and find the infected targets, passively capturing malicious codes of the unknown malicious programs through behavior anomaly detection, and extracting samples;
in the designed and constructed honeypot and honeynet, simulating manual operation on a mouse, a keyboard, a control switch, an industrial rocker and the like, actively inducing unknown malicious programs to diffuse and execute to the honeypot and the honeynet, finishing capturing the characteristics of the known and unknown malicious programs through passive capturing and active inducing, finishing accurate malicious code recognition, and extracting samples of the known and unknown malicious programs;
and performing behavior correlation analysis on the captured unknown malicious codes of the malicious programs and performing reverse tracing to find an infection source of the unknown malicious programs, tracking the diffusion paths of the unknown malicious programs through the extracted samples, and accurately identifying the next target which is transmitted and infected, thereby completing accurate positioning.
5. The APT detection early warning method according to claim 1, wherein the establishment of the active defense model against malicious attacks such as unknown malicious programs and Zero Day is based on association rules, and reasoning is performed on hidden attack behaviors of unknown malicious programs; adopting an attack behavior reasoning technology based on Clustering and a knowledge base, firstly simplifying repeated or similar logs by a Clustering method based on density, Clustering by most of dividing methods based on the distance between objects, and generating an accurate and ordered data set cluster by adopting an OPTIC (ordering Points to identify the Clustering structure) algorithm;
the constructed active defense model carries out protocol detection on the received data packet, calls a protocol identification function to carry out protocol identification, calls different decoding modules according to different types for specific protocols, deeply detects the content of the data stream, and then carries out packet filtering on the data stream; the active defense model compares the data packets according to predefined rules, and accepts, blocks or discards the filtered content according to the comparison and reference thickness granularity and algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110385616.5A CN112948821A (en) | 2021-04-10 | 2021-04-10 | APT detection early warning method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110385616.5A CN112948821A (en) | 2021-04-10 | 2021-04-10 | APT detection early warning method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112948821A true CN112948821A (en) | 2021-06-11 |
Family
ID=76231571
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110385616.5A Pending CN112948821A (en) | 2021-04-10 | 2021-04-10 | APT detection early warning method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112948821A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572730A (en) * | 2021-06-15 | 2021-10-29 | 郑州云智信安安全技术有限公司 | Implementation method for actively and automatically trapping honeypots based on web |
| CN113722714A (en) * | 2021-11-03 | 2021-11-30 | 北京微步在线科技有限公司 | Network threat processing method and device |
| CN114266047A (en) * | 2021-12-14 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Malicious program defense method and device, electronic equipment and storage medium |
| CN114662111A (en) * | 2022-05-18 | 2022-06-24 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
| CN114915493A (en) * | 2022-06-22 | 2022-08-16 | 云南电网有限责任公司 | Trapping deployment method based on power monitoring system network attack |
| CN115499238A (en) * | 2022-09-30 | 2022-12-20 | 北京珞安科技有限责任公司 | Industrial control network threat analysis method based on industrial control behavior analysis |
| CN117978542A (en) * | 2024-03-28 | 2024-05-03 | 北京中关村实验室 | Digital stand-by defense system design method and device for advanced persistent threat |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN112383538A (en) * | 2020-11-11 | 2021-02-19 | 西安热工研究院有限公司 | Hybrid high-interaction industrial honeypot system and method |
-
2021
- 2021-04-10 CN CN202110385616.5A patent/CN112948821A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN112383538A (en) * | 2020-11-11 | 2021-02-19 | 西安热工研究院有限公司 | Hybrid high-interaction industrial honeypot system and method |
Non-Patent Citations (2)
| Title |
|---|
| 刘扬: "自然资源云中心安全态势感知平台设计", 《网络安全和信息化》, pages 129 - 133 * |
| 李京京: "基于蜜罐技术的ICS威胁感知平台设计与实现", 《硕士论文电子期刊》, pages 123 - 125 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113572730A (en) * | 2021-06-15 | 2021-10-29 | 郑州云智信安安全技术有限公司 | Implementation method for actively and automatically trapping honeypots based on web |
| CN113722714A (en) * | 2021-11-03 | 2021-11-30 | 北京微步在线科技有限公司 | Network threat processing method and device |
| CN114266047A (en) * | 2021-12-14 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Malicious program defense method and device, electronic equipment and storage medium |
| CN114662111A (en) * | 2022-05-18 | 2022-06-24 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
| CN114662111B (en) * | 2022-05-18 | 2022-08-09 | 成都数默科技有限公司 | Malicious code software gene homology analysis method |
| CN114915493A (en) * | 2022-06-22 | 2022-08-16 | 云南电网有限责任公司 | Trapping deployment method based on power monitoring system network attack |
| CN114915493B (en) * | 2022-06-22 | 2024-05-28 | 云南电网有限责任公司 | Trapping deployment method based on network attack of power monitoring system |
| CN115499238A (en) * | 2022-09-30 | 2022-12-20 | 北京珞安科技有限责任公司 | Industrial control network threat analysis method based on industrial control behavior analysis |
| CN115499238B (en) * | 2022-09-30 | 2023-04-28 | 北京珞安科技有限责任公司 | Industrial control network threat analysis method based on industrial control behavior analysis |
| CN117978542A (en) * | 2024-03-28 | 2024-05-03 | 北京中关村实验室 | Digital stand-by defense system design method and device for advanced persistent threat |
| CN117978542B (en) * | 2024-03-28 | 2024-07-09 | 北京中关村实验室 | Digital stand-by defense system design method and device for advanced persistent threat |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112948821A (en) | APT detection early warning method | |
| CN105208037B (en) | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection | |
| CN107070929A (en) | A kind of industry control network honey pot system | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
| CN113313421A (en) | Security risk state analysis method and system for power Internet of things sensing layer | |
| CN112637220A (en) | Industrial control system safety protection method and device | |
| KR20040042397A (en) | Method and system for defensing distributed denial of service | |
| CN111488590A (en) | SQ L injection detection method based on user behavior credibility analysis | |
| CN113542275A (en) | Vulnerability discovery method for power plant industrial control system | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN113542311B (en) | Method for detecting and backtracking defect host in real time | |
| CN111786986B (en) | Numerical control system network intrusion prevention system and method | |
| CN113572730A (en) | Implementation method for actively and automatically trapping honeypots based on web | |
| CN118337540B (en) | Internet of things-based network intrusion attack recognition system and method | |
| CN113852615A (en) | Method and device for monitoring lost host in multi-stage DNS (Domain name System) environment | |
| CN117527412A (en) | Data security monitoring method and device | |
| CN113746832B (en) | Multi-method mixed distributed APT malicious flow detection defense system and method | |
| Sun | A New Perspective on Cybersecurity Protection: Research on DNS Security Detection Based on Threat Intelligence and Data Statistical Analysis | |
| Eid et al. | IIoT network intrusion detection using machine learning | |
| CN112788065B (en) | Internet of things zombie network tracking method and device based on honeypots and sandboxes | |
| CN117201184A (en) | Active defense method and system | |
| Neri | Mining TCP/IP traffic for network intrusion detection by using a distributed genetic algorithm | |
| CN114510710A (en) | Honeypot attack event identification system and method based on XSS and SQL injection | |
| CN112417434A (en) | Program white list protection method combined with UEBA mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210611 |
|
| WD01 | Invention patent application deemed withdrawn after publication |