CN113472789A - Attack detection method, attack detection system, storage medium and electronic equipment - Google Patents
Attack detection method, attack detection system, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN113472789A CN113472789A CN202110741980.0A CN202110741980A CN113472789A CN 113472789 A CN113472789 A CN 113472789A CN 202110741980 A CN202110741980 A CN 202110741980A CN 113472789 A CN113472789 A CN 113472789A
- Authority
- CN
- China
- Prior art keywords
- attack
- attack sequence
- sequence
- actual
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Abstract
The application provides an attack detection method, which presets a preset attack sequence set, wherein the preset attack sequence set comprises a plurality of attack sequence classes, the attack sequence classes comprise at least one attack mode, and the detection method comprises the following steps: acquiring a malicious behavior; the malicious behavior corresponds to one attack mode; obtaining an actual attack sequence according to the malicious behavior; and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack. The method and the device can detect malicious attack behaviors in an all-round mode, reduce the probability of being bypassed by single-dimensional detection, and improve the detection strength and the detection efficiency of the malicious behaviors. The application also provides an attack detection system, a computer readable storage medium and an electronic device, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security, and in particular, to an attack detection method, an attack detection system, a storage medium, and an electronic device.
Background
The endpoint protection software of the System determines threats in a manner of behavior monitoring plus an IOC (intrusion threat indicator), such as MD5(message-digest algorithm) comparison for monitoring changed files and malicious files, and Domain Name System (DNS) comparison for monitoring network behaviors and malicious DNS (Domain Name System). The detection mode based on single dimension is comparatively lagged, and the change cost of IOCs such as MD5, DNS and the like is low, so that the IOCs are easily bypassed. Because of the lack of context information (association information) of the attack for the Threat that occurs, it is difficult to capture a new APT (Advanced Persistent Threat attack) type attack by the IOC alone.
Currently, a single-point defense concept is adopted, key operation is monitored by driving or injecting a hook key function, and black, white and grey of an operation process MD5 are inquired through a cloud end, so that a popup window is intercepted by a non-white process and is given to a user to decide whether to pass or not. However, the detection of the single-point behavior is difficult to determine whether the program belongs to a malicious program, and only the suspicious malicious program which cannot be specifically determined can be notified, for the user, the handling mode cannot be decided only from the alarm information, and the user is easy to bypass, and cannot determine whether the program is under the attack of the APT according to the single dangerous behavior information. Therefore, how to effectively prevent APT attack is a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
The application aims to provide an attack detection method, an attack detection system, a storage medium and electronic equipment, which can improve the detection strength and detection efficiency of malicious behaviors.
In order to solve the above technical problem, the present application provides an attack detection method, in which a preset attack sequence set is preset, the preset attack sequence set includes a plurality of attack sequence classes, and the attack sequence classes include at least one attack mode, and the detection method includes:
acquiring a malicious behavior; the malicious behavior corresponds to one attack mode;
obtaining an actual attack sequence according to the malicious behavior;
and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
Optionally, before acquiring the malicious behavior, the method further includes:
carrying out process monitoring on the collected behaviors and determining the process change of the behaviors;
analyzing the flow in the behavior process change by using a network flow probe, and determining the flow content of the behavior;
judging whether the behavior belongs to an attack sequence class in the preset attack sequence set or not according to the flow content;
and if so, determining that the behavior belongs to a malicious behavior.
Optionally, determining whether the behavior belongs to an attack sequence class in the preset attack sequence set according to the traffic content includes:
judging whether the preset attack sequence set has a target attack sequence class containing the progress corresponding to the behavior;
and if the behavior belongs to the attack sequence class in the preset attack sequence set, judging that the behavior belongs to the attack sequence class if the behavior exists and the flow content belongs to the flow type generated by the attack mode in the target attack sequence class.
Optionally, obtaining an actual attack sequence according to the malicious behavior includes:
monitoring the process change of the malicious behavior within a preset time range to obtain the associated behavior of the malicious behavior;
recording the malicious behaviors and all the corresponding associated behaviors to obtain the actual attack sequence of the malicious behaviors
Optionally, before obtaining a detection result according to the attack sequence class and the actual attack sequence, the method further includes:
and configuring an attack sequence class according to the attack stage, and adding a corresponding attack mode to the attack sequence class according to the historical attack sequence to obtain the preset attack sequence set.
Optionally, obtaining a detection result according to the attack sequence class and the actual attack sequence includes:
and if the actual attack sequence is the same as any historical attack sequence in a preset attack sequence set, or all malicious behaviors in the actual attack sequence belong to the attack sequence class in the preset attack sequence set, determining that the detection result of the attack detection is the attack of the directional threat.
Optionally, if the actual attack sequence includes a malicious behavior that does not belong to any of the attack sequence classes, the method further includes:
and analyzing the actual attack sequence to determine the threat degree of the actual attack sequence.
Optionally, analyzing the actual attack sequence, and determining the threat level of the actual attack sequence includes:
determining a target attack sequence which comprises the same attack sequence class as the actual attack sequence and has the most number of the actual attack sequence classes in the preset attack sequence set, and determining a differential attack sequence class of the actual attack sequence and the target attack sequence;
carrying out threat degree detection on the malicious behaviors belonging to the distinguishing attack sequence class in the actual attack sequence to obtain threat parameters;
and determining the actual threat degree of the actual attack sequence according to the known threat degree of the target attack sequence and the threat parameters.
Optionally, after obtaining a detection result according to the attack sequence class and the actual attack sequence, the method further includes:
and generating corresponding alarm information according to the detection result, wherein the alarm information is used for guiding to treat the malicious behaviors and the actual attack sequence.
The present application further provides an attack detection system, comprising:
the detection platform is used for acquiring the malicious behaviors and obtaining the actual attack sequence of the malicious behaviors; requesting to call a preset attack sequence set from a cloud end, and matching the actual attack sequence by using an attack sequence class in the preset attack sequence set to obtain a detection result; the detection result is used for representing the directional threat attack;
and the cloud is used for storing the preset attack sequence set.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method as set forth above.
The present application further provides an electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method described above when calling the computer program in the memory.
The application provides an attack detection method, which presets a preset attack sequence set, wherein the preset attack sequence set comprises a plurality of attack sequence classes, the attack sequence classes comprise at least one attack mode, and the detection method comprises the following steps: acquiring a malicious behavior; the malicious behavior corresponds to one attack mode; obtaining an actual attack sequence according to the malicious behavior; and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
According to the method and the device, after the malicious behavior is confirmed, the actual attack sequence is monitored for the malicious behavior, the preset attack sequence set is called to carry out attack detection judgment on the actual attack sequence, the attack sequence of the attack is judged, the fact that attack detection judgment is carried out according to multiple dimensionalities contained in the attack sequence is substantial, detection of a single dimensionality is avoided, the malicious attack behavior can be detected in an all-round mode, the probability that detection of the single dimensionality is bypassed is reduced, and the detection strength and the detection efficiency of the malicious behavior are improved.
The application also provides an attack detection system, a computer readable storage medium and an electronic device, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an attack detection method provided in an embodiment of the present application;
fig. 2 is a flowchart of a malicious behavior determination process according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another malicious behavior determination process provided in an embodiment of the present application;
fig. 4 is a flowchart of a process for determining a threat level of the actual attack sequence according to an embodiment of the present application;
fig. 5 is an application architecture diagram of an attack detection method provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of an attack detection method provided in an embodiment of the present application, where the method includes:
s101: acquiring a malicious behavior;
the embodiment is directed to attack detection, and may be applied to a terminal, or a detection platform, a detection device, and the like connected to the terminal, and the malicious behavior may originate from any device or system that may become an attacked object, including but not limited to various mobile devices, gateway devices, servers, and the like.
The step aims to obtain the malicious behavior, and the judgment process of whether the behavior is the malicious behavior or not is not limited. The manner of determining the malicious behavior is not particularly limited. The malicious behaviors can be distinguished by taking a process as a unit, and a person skilled in the art can also divide each malicious behavior in other manners, for example, according to the behavior content of the malicious behavior.
In addition, how to determine whether the behavior is a malicious behavior is not particularly limited, and for example, a person skilled in the art may set attack characteristics of historical attack behaviors, and the behavior is regarded as a malicious behavior after meeting a certain number of attack characteristics.
Particularly, a preset attack sequence set exists before the step, and if the behavior accords with the attack behavior in any one attack sequence class in the preset attack sequence set, the behavior can be directly used as the malicious behavior.
S102: obtaining an actual attack sequence according to the malicious behavior;
after the malicious behavior is determined, the step can monitor the malicious behavior, so as to obtain an actual attack sequence corresponding to the malicious behavior. Of course, other ways of obtaining the actual attack sequence may be used, such as tracking or locating malicious activities. Taking monitoring as an example, the specific monitoring process is not limited herein, and a corresponding monitoring mode may be adopted according to the definition content for the malicious behavior. For example, if the malicious behavior is a process, operations executed by a process corresponding to the malicious behavior may be monitored, including but not limited to any one or a combination of any several of process creation, process exit, process injection, memory read/write, registry operation, file operation, service operation, and network behavior, which may be used as a monitoring range for the malicious behavior. The purpose of monitoring is to determine all associated behaviors and associated data of the malicious behavior, and accordingly obtain an actual attack sequence of the malicious behavior. Therefore, the actual attack sequence includes the malicious behavior, all the associated behaviors after the malicious behavior and the corresponding associated data.
In addition, if the monitoring mode is adopted, corresponding monitoring parameters, such as monitoring time and the like, can be configured for monitoring of the malicious behavior. Although the malicious attack is strong in imperceptibility, in order to achieve the purpose of the attack, the malicious operation is usually executed as soon as possible after the attack, so that a preset time range can be configured for the monitoring time, once the preset time range is exceeded, the malicious behavior can be considered not to be continuously attacked or possibly identified by a security protection system of the terminal system, and then the monitoring of the malicious behavior can be stopped. Of course, the duration of the preset time range is not particularly limited herein.
S103: and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
The method comprises the steps of utilizing a preset attack sequence set to match actual attack sequences to obtain corresponding detection results.
The preset attack sequence set can be used as threat information data of IOA & IOC (attack index and intrusion threat index) to be stored in a cloud end, so that the local data storage pressure is reduced, and the online updating of the preset attack sequence set is also facilitated. Of course, the preset attack sequence set may also be maintained at a local terminal or server.
The attack sequence classes are maintained in a preset attack sequence set, each attack sequence class comprises a plurality of attack modes, the division of the attack sequence classes is determined by an attack flow, namely, the attack sequence classes are divided according to the time sequence of the attack, and generally, the attack life cycle is all divided into the corresponding attack sequence classes. For example, ATT & CK (advanced metrics, technologies, and Common Knowledge, a model and Knowledge base that reflects attack behaviors of various attack life cycles) may be used to determine attack sequence classes, which may include, for example, reconnaissance, resource development, initial access, execution, persistence, right-lifting, defense avoidance, credential access, discovery, lateral motion, collection, command and control, data backtransmission, and influence. Wherein the reconnaissance collects information for an attacker to perform the operation; resource developments include creating or stealing technologies for implementing malicious attacks (e.g., acquiring email accounts, signing certificates); initial access refers to techniques for achieving targeted harpoon fishing or finding targeted vulnerabilities; techniques employed by the execution, i.e., the attacker, to run the malicious code (e.g., executing a local script using a remote access tool); persistence refers to a technique for avoiding a misconnection due to a restart or the like after a malicious attack program enters a system, that is, maintaining access, and may include, for example, hijacking a start program of the system; the right-offering refers to a technology for acquiring the advanced right of the system; defense evasion refers to techniques for avoiding discovery during an attack, including uninstalling or disabling secure software, or disguising trusted processes, etc.; the credential access refers to a technique of stealing credentials, wherein the credentials comprise user names, passwords and the like, and when a malicious attacker steals the credentials, the malicious attacker can log in a system by using legal credentials and steal data, so that the malicious attacker is more difficult to detect by a normal security monitoring system; the discovery refers to a technology used by an attacker for acquiring system internal information so that the attacker can quickly determine the target of the attacker; the lateral movement refers to a technology for an attacker to implement lateral intrusion of a malicious program, for example, after the attacker penetrates a certain device, for example, the lateral movement technology completes intrusion on the other devices; collection refers to techniques for an attacker to collect the returned data, such as capturing screen and keyboard data information; the command and control means that an attacker is used for realizing the control of the invaded system; data return refers to techniques for receiving stolen data, such as compression or encryption after packaging; impact refers to techniques by which an attacker destroys or tampers with data.
It should be noted that the actual attack sequence corresponding to each attack does not need to include each attack sequence class, and the actual attack sequence class may only include a part of the attack sequence classes, and usually includes at least two processes of execution and data return. For example, not all malicious attacks need to implement persistence and lateral movement. And the actual attack sequence does not necessarily contain the first occurring class of attack sequences. In addition, in other embodiments of the present application, other attack sequence classes may be included, or several attack sequence classes described above may be combined to obtain one attack sequence class, which should also be within the scope of the present application.
In addition, the attack mode contained in each attack sequence class and the historical attack sequence can be maintained in the preset attack sequence set. It is easy to understand that the more comprehensive the attack mode maintained by the preset attack sequence set is, the higher the detection success rate of the attack detection is. No matter which attack sequence classes are contained in the preset attack sequence set, each attack mode in the preset attack sequence set needs to belong to a unique corresponding attack sequence class. And the attack mode contained in any historical attack sequence is enabled to have the corresponding attack sequence class. In addition, in this embodiment, the attack behavior included in each attack sequence class is not specifically limited, and it is easy to understand that the more comprehensive the attack behavior included in the attack sequence class is, the higher the success rate of attack detection is.
The specific generation process of the preset attack sequence set is not limited, an attack sequence class can be configured according to an attack stage, and a corresponding attack mode is added to the attack sequence class according to a historical attack sequence to obtain the preset attack sequence set. The attack sequence class is determined, for example, an attack sequence class is configured for each attack phase according to the attack phases described above, then the historical attack sequence is referred to, the attack sequence classes are judged one by one according to the attack modes included in the historical attack sequence and are filled into the corresponding attack sequence classes, and finally the establishment of the preset attack sequence set can be realized. Certainly, the preset attack sequence set may be configured as an updatable preset attack sequence set, that is, the preset attack sequence set is updated according to attack modes included in each attack sequence class, so as to further improve the detection success rate of malicious attacks.
The step aims to match the actual attack sequence by using a preset attack sequence set, and it is noted that the sequence matching is executed, each attack behavior in the actual attack sequence needs to be matched, and independent matching is not only carried out on any behavior in the actual attack sequence. When sequence matching is carried out, if the actual attack sequence is the same as any historical attack sequence in the preset attack sequence set or the attack behaviors in the actual attack sequence belong to the attack sequence class in the preset attack sequence set, the detection result of attack detection can be determined to be attacked by advanced sustainable threat, namely APT attack. When the actual attack sequence is the same as a certain historical attack sequence, the attack can be ensured to be carried out. If the historical attack sequence which is the same as the actual attack sequence is not detected, but the attack behaviors contained in the actual attack sequence are determined to belong to the attack sequence class, the attack can still be determined. However, it should be noted that the process generally needs to match the attack behavior with the attack behavior contained in the attack sequence class one by one to determine the attack sequence class corresponding to each attack behavior. As a more preferable implementation procedure, after confirming that an attack is received, since the preset attack sequence set does not include a historical attack sequence identical to the actual attack sequence at this time, the actual attack sequence may be added to the preset attack sequence set as the historical attack sequence.
If the actual attack sequence contains the attack behaviors which do not belong to any attack sequence class, the fact that the attack behaviors which are not contained in the preset attack sequence set at least exist in the actual attack sequence is shown. At this time, the actual attack sequence may be analyzed, so as to determine the threat level of the actual attack sequence. When the actual attack sequence has unidentified attack behavior, the attack can be definitely carried out at the moment. There is no particular limitation on how the threat level of the actual attack sequence is determined.
It should be noted that, in this embodiment, specific content of the detection result is not limited, and the detection result is used to represent a directional threat attack, and may be a determination result of whether the ap attack is received, and may also include relevant parameter data such as a threat degree of the ap attack and the like, for example, attacked system location information and the like, on the basis. But the detection result at least includes the judgment result of whether the attack is received.
After the attack is determined, an alarm may be performed, where the specific manner of the alarm is not limited, for example, an alarm log may be generated. If the terminal executes the process of the embodiment by itself, the alarm log can be uploaded. Of course, the alarm log may include information such as malicious behaviors and actual attack sequences, and may also include data such as threat degree of attack detection.
According to the method and the device, after the malicious behavior is confirmed, the actual attack sequence is monitored for the malicious behavior, the preset attack sequence set is called to carry out attack detection judgment on the actual attack sequence, the attack sequence of the attack is judged, the fact that attack detection judgment is carried out according to multiple dimensionalities contained in the attack sequence is substantial, detection of a single dimensionality is avoided, the malicious attack behavior can be detected in an all-around mode, the probability that detection of the single dimensionality is bypassed is reduced, and the detection strength and the detection efficiency of the malicious behavior are improved.
Based on the above embodiments, as a preferred embodiment, how to determine the malicious behavior is described below, but it should be noted that the determination process of the malicious behavior disclosed in this embodiment is only a preferred execution process with certain universality, and those skilled in the art may also have the ability to perform the determination of the malicious behavior in other ways based on this embodiment, which is not limited herein by way of example. Referring to fig. 2, fig. 2 is a flowchart of a malicious behavior determination process provided in an embodiment of the present application, where the malicious behavior determination process includes:
s1011: carrying out process monitoring on the collected behaviors and determining the process change of the behaviors;
the step is intended to perform process monitoring on the collected behaviors, the behaviors may be collected by using a behavior probe, and the behaviors targeted in the step may be all or any behavior in the device or system, that is, the range of the behaviors in the step may be freely set by a person skilled in the art, for example, if the requirement of the safety degree of a certain device is high, all the behaviors targeted to the device may be collected. The specific form of the behavior probe is not limited, and the behavior probe may be used to collect the execution behavior by using a kernel driver or an application layer hook. The behavior collected in this embodiment is in units of processes, and in other embodiments, may also be in units of other partitioning manners. If the process is taken as a unit, the method may include the acts of process creation, process exit, process injection, memory read-write, registry operation, file operation, service operation, network behavior, and the like.
S1012: analyzing the flow in the behavior process change by using a network flow probe, and determining the flow content of the behavior;
this step requires analysis of the process traffic. By monitoring the behaviors, the operation content executed by the behaviors can be determined, the operation content comprises information such as operation addresses and operation objects, and the network acquisition probe can be used for acquiring the flow. The specific flow acquisition mode is not limited, the flow of the behavior can be obtained by acquiring the flow of the bypass mirror image, and the normal operation of the equipment or the system is not influenced. The traffic data may include, but is not limited to, protocol, IP address, dns (domain Name system), etc. information of the traffic.
S1013: judging whether the behavior belongs to an attack sequence class in the preset attack sequence set or not according to the flow content; if yes, entering S1014;
this step is intended to make a decision on malicious behavior based on the content of the behavior traffic. As described above, the preset attack sequence centrally maintains various attack behaviors, and therefore, the present step can determine the behaviors according to the known attack behaviors in the preset attack sequence centrally. Of course, it will be readily appreciated that this process requires that a pre-set attack sequence set require that attack behavior and traffic characteristics be maintained in order to make comparisons and decisions at this step. Specifically, it may be determined whether the preset attack sequence set has a target attack sequence class including a process corresponding to the behavior, and if so, and the traffic content belongs to a traffic type generated by an attack manner in the target attack sequence class, it is determined that the behavior belongs to the attack sequence class in the preset attack sequence set, that is, the behavior belongs to a malicious behavior in the foregoing embodiment.
In addition, the process and the flow can be combined to judge whether the behavior belongs to the malicious behavior, namely on the basis of detecting the content of the flow, the process change of the behavior is comprehensively judged, and the judgment accuracy of the malicious behavior can be further improved.
S1014: determining that the behavior belongs to a malicious behavior.
When the corresponding attack sequence class cannot be determined according to the traffic content of the behavior, the behavior can be considered not to belong to a malicious behavior.
Specifically, if the behavior belongs to the terminal, the step S1013 in the embodiment is not necessarily executed in the terminal, but the behavior may be uploaded to the detection platform by the terminal for detection, and the detection platform may request the predetermined attack sequence set from the cloud when executing the step S1013.
As a more preferable implementation manner of this embodiment, referring to fig. 3, fig. 3 is a flowchart of another malicious behavior determination process provided in this embodiment of the application, and after step S1012, the behavior and the traffic may be uploaded to a detection platform. In step S1013, the detection platform may be used to call a preset attack sequence set from the cloud to perform matching judgment on the traffic content of the behavior. By arranging the preset attack sequence set at the cloud end, the local data storage pressure can be reduced, and the online updating of the preset attack sequence set is also facilitated.
On the basis of the above embodiment, the process of how to monitor the malicious behavior and obtain the actual attack sequence of the malicious behavior is further optimized in this embodiment, and the process may be as follows:
s1021: monitoring the process change of the malicious behavior within a preset time range to obtain the associated behavior of the malicious behavior;
s1022: and recording the malicious behaviors and all the corresponding associated behaviors to obtain an actual attack sequence of the malicious behaviors.
The preset time range is not particularly limited, and may be set freely by those skilled in the art, for example, 5 minutes, or according to the safety detection period of the system itself. Within a preset time range, if the associated behavior of the malicious behavior also belongs to a certain attack sequence class, the associated behavior can be directly classified into an actual attack sequence.
It should be noted that the associated behavior described in this embodiment is at least a first-level associated behavior of the malicious behavior, that is, the malicious behavior is taken as an initial behavior, the associated behavior directly triggered by the malicious behavior is referred to as a first-level associated behavior, the associated behavior triggered by the first-level associated behavior is indirectly triggered by the malicious behavior is referred to as a second-level associated behavior …, and so on, and the resulting actual attack sequence should include the malicious behavior and all corresponding associated behaviors, that is, all first-level associated behaviors, second-level associated behaviors, third-level associated behaviors, and so on.
Further, based on the above embodiment, as a preferred implementation process, the following detailed description is made on how to analyze an actual attack sequence and determine a threat level of the actual attack sequence when the actual attack sequence includes an attack behavior that does not exist in a preset attack sequence set, referring to fig. 4, where fig. 4 is a process flow chart for determining a threat level of the actual attack sequence provided by an embodiment of the present application, and a process of the process flow chart is as follows:
s201: determining a target attack sequence which comprises the same attack sequence class as the actual attack sequence and has the most number of the actual attack sequence classes in the preset attack sequence set, and determining a differential attack sequence class of the actual attack sequence and the target attack sequence;
s202: carrying out threat degree detection on the malicious behaviors belonging to the distinguishing attack sequence class in the actual attack sequence to obtain threat parameters;
s203: and determining the actual threat degree of the actual attack sequence according to the known threat degree of the target attack sequence and the threat parameters.
Specifically, a target attack sequence most similar to an actual attack sequence is found in a preset attack sequence set, and the target attack sequence can be derived from a historical attack sequence. The target attack sequence only requires the largest number of identical attack sequence classes to exist with the actual attack sequence. In other words, the target attack sequence and the actual attack sequence have highly similar or even identical attack sequence classes, that is, the attack flows of the target attack sequence and the actual attack sequence are highly similar or even identical, so that the threat degree speculation can be performed on the actual attack sequence according to the target attack sequence with known threat degree. The threat degree detection is carried out aiming at the different attack behaviors of the target attack sequence and the target attack sequence to obtain corresponding threat parameters, and then the actual threat degree of the actual attack sequence is determined based on the known threat degree and the threat parameters of the target attack sequence. How to obtain the threat parameters is not particularly limited, and those skilled in the art can make relative settings by referring to the attack object of the attack behavior, the attack mode, the data damage degree, and the like. Similarly, the known threat of the target attack sequence should be calculated based on the same set architecture.
According to the method and the device, when the actual attack sequence of the malicious behavior is not completely identified by the preset attack sequence set, the threat degree of the target attack sequence can be reasonably inferred, so that the harm degree judgment of the malicious behavior is realized, the treatment is convenient in sequence according to the threat degree, and the system safety is improved.
The following description is directed to a specific application process of actual attack sequence matching in the attack detection method provided in the present application, and it is assumed that a preset attack sequence set is configured already at the time of application, and the preset attack sequence set includes 5 attack sequence classes A, B, C, D, E, and is executed in the order of a → B → C → D → E, where a ═ a1, a2, and a3}, that is, the attack sequence class a includes three attack modes of a1, a2, and a3, and similarly, B ═ B1, B2, B3}, C ═ C1, C2, C3}, D ═ D1, D2, D3}, E ═ E1, E2, E3 }.
If the malicious behavior a1 is detected and monitored, an actual attack sequence a1 → b2 → c2 of the malicious behavior a1 is obtained, at this time, the actual attack sequence is matched by using a preset attack sequence set, and it is confirmed that a1, b2 and c2 are respectively attack behaviors included in the attack sequence class A, B, C, and at this time, it can be confirmed that the attack is suffered.
If the malicious behavior b1 is detected and monitored, an actual attack sequence b1 → c3 → e2 of the malicious behavior b1 is obtained, at this time, the actual attack sequence is matched by using a preset attack sequence set, it is confirmed that b1, c3 and e2 are respectively attack behaviors included in the attack sequence class B, C, E, and at this time, it can be confirmed that the attack is suffered.
If the malicious behavior a1 is detected and monitored, obtaining an actual attack sequence a1 → b4 → d2 of the malicious behavior a1, matching the actual attack sequence by using a preset attack sequence set at the moment, finding that the preset attack sequence set does not contain b4, but contains a historical attack sequence a1 → b2 → d2, detecting the threat level of b4 according to the threat level of the historical attack sequence a1 → b2 → d2 at the moment, obtaining a threat parameter, and confirming the threat level of the actual attack sequence a1 → b4 → d2 by combining the threat level of the historical attack sequence a1 → b2 → d2 and the threat parameter.
An attack detection system provided by the present application is described below, with reference to fig. 5, fig. 5 is an application architecture diagram of the attack detection system provided by the embodiment of the present application, and the attack detection system is composed of a cloud and a detection platform, and may further include a plurality of terminals communicated with the detection platform. Wherein:
the detection platform is used for acquiring the malicious behaviors and obtaining the actual attack sequence of the malicious behaviors; requesting to call a preset attack sequence set from a cloud end, and matching the actual attack sequence by using an attack sequence class in the preset attack sequence set to obtain a detection result; the detection result is used for representing the directional threat attack;
and the cloud is used for storing the preset attack sequence set.
The terminal acquires behaviors by using the behavior probe, acquires the flow of the behaviors by using the network flow probe, and uploads the behavior to the detection platform after the behavior is packaged into a preset format by the terminal; in the process, the behaviors and the flow can be packaged respectively or together; the detection platform requests a preset attack sequence set from the cloud, judges whether the behavior belongs to any attack sequence class in the preset attack sequence set according to the process change and the flow content of the behavior, and determines the behavior to be malicious behavior if the behavior belongs to any attack sequence class in the preset attack sequence set.
Monitoring the process change of the malicious behavior in a preset time range at the terminal, and recording the associated behavior of the malicious behavior to obtain an actual attack sequence;
and uploading the actual attack sequence to a detection platform by the terminal, and matching the actual attack sequence by the detection platform by using a preset attack sequence set to obtain a detection result. And subsequently, the detection result can be returned to the terminal, or the alarm can be directly executed.
Therefore, the detection platform can be simultaneously connected with a plurality of terminal devices, so that the attack detection of the detection platform on the terminal is realized, and the network information safety of the terminal is ensured.
The present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program can implement the steps of the malicious encrypted traffic detection method provided in the foregoing embodiments when executed. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and when the processor calls the computer program in the memory, the steps of the attack detection method provided in the foregoing embodiment may be implemented. Of course, the electronic device may also include various network interfaces, power supplies, and the like. Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device according to the embodiment may include: a processor 2101 and a memory 2102.
Optionally, the electronic device may further comprise a communication interface 2103, an input unit 2104 and a display 2105 and a communication bus 2106.
The processor 2101, the memory 2102, the communication interface 2103, the input unit 2104, the display 2105, and the like communicate with each other via the communication bus 2106.
In the embodiment of the present application, the processor 2101 may be a Central Processing Unit (CPU), an application specific integrated circuit (asic), a digital signal processor, an off-the-shelf programmable gate array (fpga) or other programmable logic device.
The processor may call a program stored in the memory 2102. In particular, the processor may perform the operations performed by the electronic device in the above embodiments.
The memory 2102 stores one or more programs, which may include program code including computer operating instructions, and in this embodiment, at least one program for implementing the following functions is stored in the memory:
acquiring a malicious behavior; the malicious behavior corresponds to one attack mode;
obtaining an actual attack sequence according to the malicious behavior;
and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
In one possible implementation, the memory 2102 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a topic detection function, etc.), and the like; the storage data area may store data created according to the use of the computer.
Further, the memory 2102 may include high speed random access memory, and may also include non-volatile memory, such as at least one disk storage device or other volatile solid state storage device.
The communication interface 2103 may be an interface of a communication module, such as an interface of a GSM module.
The present application may also include a display 2105 and an input unit 2104, among others.
The structure of the electronic device shown in fig. 6 does not constitute a limitation of the electronic device in the embodiment of the present application, and in practical applications, the electronic device may include more or less components than those shown in fig. 6, or some components may be combined.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (12)
1. An attack detection method is characterized in that a preset attack sequence set is preset, the preset attack sequence set comprises a plurality of attack sequence classes, the attack sequence classes comprise at least one attack mode, and the detection method comprises the following steps:
acquiring a malicious behavior; the malicious behavior corresponds to one attack mode;
obtaining an actual attack sequence according to the malicious behavior;
and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
2. The attack detection method according to claim 1, wherein before the acquiring the malicious behavior, the method further comprises:
carrying out process monitoring on the collected behaviors and determining the process change of the behaviors;
analyzing the flow in the behavior process change by using a network flow probe, and determining the flow content of the behavior;
judging whether the behavior belongs to an attack sequence class in the preset attack sequence set or not according to the flow content;
and if so, determining that the behavior belongs to a malicious behavior.
3. The detection method according to claim 2, wherein determining whether the behavior belongs to an attack sequence class in the preset attack sequence set according to the traffic content comprises:
judging whether the preset attack sequence set has a target attack sequence class containing the progress corresponding to the behavior;
and if the behavior belongs to the attack sequence class in the preset attack sequence set, judging that the behavior belongs to the attack sequence class if the behavior exists and the flow content belongs to the flow type generated by the attack mode in the target attack sequence class.
4. The attack detection method of claim 1, wherein obtaining an actual attack sequence from the malicious activity comprises:
monitoring the process change of the malicious behavior within a preset time range to obtain the associated behavior of the malicious behavior;
and recording the malicious behaviors and all the corresponding associated behaviors to obtain an actual attack sequence of the malicious behaviors.
5. The attack detection method according to claim 1, wherein before obtaining the detection result according to the attack sequence class and the actual attack sequence, the method further comprises:
and configuring an attack sequence class according to the attack stage, and adding a corresponding attack mode to the attack sequence class according to the historical attack sequence to obtain the preset attack sequence set.
6. The attack detection method according to claim 1, wherein obtaining a detection result according to the attack sequence class and the actual attack sequence comprises:
and if the actual attack sequence is the same as any historical attack sequence in a preset attack sequence set, or all malicious behaviors in the actual attack sequence belong to the attack sequence class in the preset attack sequence set, determining that the detection result of the attack detection is the attack of the directional threat.
7. The attack detection method according to claim 6, wherein if the actual attack sequence contains a malicious behavior that does not belong to any of the attack sequence classes, further comprising:
and analyzing the actual attack sequence to determine the threat degree of the actual attack sequence.
8. The attack detection method according to claim 7, wherein analyzing the actual attack sequence and determining the threat level of the actual attack sequence comprises:
determining a target attack sequence which comprises the same attack sequence class as the actual attack sequence and has the most number of the actual attack sequence classes in the preset attack sequence set, and determining a differential attack sequence class of the actual attack sequence and the target attack sequence;
carrying out threat degree detection on the malicious behaviors belonging to the distinguishing attack sequence class in the actual attack sequence to obtain threat parameters;
and determining the actual threat degree of the actual attack sequence according to the known threat degree of the target attack sequence and the threat parameters.
9. The attack detection method according to any one of claims 1 to 8, wherein after obtaining a detection result according to the attack sequence class and the actual attack sequence, the method further comprises:
and generating corresponding alarm information according to the detection result, wherein the alarm information is used for guiding to treat the malicious behaviors and the actual attack sequence.
10. An attack detection system, comprising:
the detection platform is used for acquiring the malicious behaviors and obtaining the actual attack sequence of the malicious behaviors; requesting to call a preset attack sequence set from a cloud end, and matching the actual attack sequence by using an attack sequence class in the preset attack sequence set to obtain a detection result; the detection result is used for representing the directional threat attack;
and the cloud is used for storing the preset attack sequence set.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the attack detection method according to any one of claims 1 to 9.
12. An electronic device, characterized in that it comprises a memory in which a computer program is stored and a processor which, when it calls the computer program in the memory, implements the steps of the attack detection method according to any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110741980.0A CN113472789B (en) | 2021-06-30 | 2021-06-30 | Attack detection method, attack detection system, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110741980.0A CN113472789B (en) | 2021-06-30 | 2021-06-30 | Attack detection method, attack detection system, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113472789A true CN113472789A (en) | 2021-10-01 |
| CN113472789B CN113472789B (en) | 2023-05-16 |
Family
ID=77876914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110741980.0A Active CN113472789B (en) | 2021-06-30 | 2021-06-30 | Attack detection method, attack detection system, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113472789B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338118A (en) * | 2021-12-22 | 2022-04-12 | 北京未来智安科技有限公司 | Threat detection method and device based on ATT & CK |
| CN115208659A (en) * | 2022-07-13 | 2022-10-18 | 杭州安恒信息技术股份有限公司 | Simulation detection method, device, equipment and medium for intranet attack |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| US20190182274A1 (en) * | 2017-12-11 | 2019-06-13 | Radware, Ltd. | Techniques for predicting subsequent attacks in attack campaigns |
| CN111651767A (en) * | 2020-06-05 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
| CN111901296A (en) * | 2020-06-17 | 2020-11-06 | 深圳市金城保密技术有限公司 | Network attack behavior detection method and detection system |
| CN112686114A (en) * | 2020-12-23 | 2021-04-20 | 杭州海康威视数字技术股份有限公司 | Behavior detection method, device and equipment |
-
2021
- 2021-06-30 CN CN202110741980.0A patent/CN113472789B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN105809035A (en) * | 2016-03-07 | 2016-07-27 | 南京邮电大学 | Android application real-time behavior based malicious software detection method and system |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| US20190182274A1 (en) * | 2017-12-11 | 2019-06-13 | Radware, Ltd. | Techniques for predicting subsequent attacks in attack campaigns |
| CN111651767A (en) * | 2020-06-05 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
| CN111901296A (en) * | 2020-06-17 | 2020-11-06 | 深圳市金城保密技术有限公司 | Network attack behavior detection method and detection system |
| CN112686114A (en) * | 2020-12-23 | 2021-04-20 | 杭州海康威视数字技术股份有限公司 | Behavior detection method, device and equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338118A (en) * | 2021-12-22 | 2022-04-12 | 北京未来智安科技有限公司 | Threat detection method and device based on ATT & CK |
| CN115208659A (en) * | 2022-07-13 | 2022-10-18 | 杭州安恒信息技术股份有限公司 | Simulation detection method, device, equipment and medium for intranet attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113472789B (en) | 2023-05-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11469976B2 (en) | System and method for cloud-based control-plane event monitor | |
| CN105939326B (en) | Method and device for processing message | |
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| CN107211016B (en) | Session security partitioning and application profiler | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| EP3225009B1 (en) | Systems and methods for malicious code detection | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN111756702B (en) | Data security protection method, device, equipment and storage medium | |
| CN112351017B (en) | Transverse penetration protection method, device, equipment and storage medium | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US11777961B2 (en) | Asset remediation trend map generation and utilization for threat mitigation | |
| CN113472789A (en) | Attack detection method, attack detection system, storage medium and electronic equipment | |
| CN113632432B (en) | Method and device for judging attack behaviors and computer storage medium | |
| CN110866248B (en) | Lesovirus identification method and device, electronic equipment and storage medium | |
| US11762991B2 (en) | Attack kill chain generation and utilization for threat analysis | |
| CN111800405A (en) | Detection method, detection device and storage medium | |
| CN105378745A (en) | Disabling and initiating nodes based on security issue | |
| CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
| CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
| CN108737421B (en) | Method, system, device and storage medium for discovering potential threats in network | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| WO2023229782A1 (en) | Malware activity detection for networked computing systems | |
| CN114285608A (en) | Network attack trapping method and device, electronic equipment and storage medium | |
| Raymond et al. | Google drive based secured anti-theft android application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |