CN113472789B - Attack detection method, attack detection system, storage medium and electronic device - Google Patents
Attack detection method, attack detection system, storage medium and electronic device Download PDFInfo
- Publication number
- CN113472789B CN113472789B CN202110741980.0A CN202110741980A CN113472789B CN 113472789 B CN113472789 B CN 113472789B CN 202110741980 A CN202110741980 A CN 202110741980A CN 113472789 B CN113472789 B CN 113472789B
- Authority
- CN
- China
- Prior art keywords
- attack
- attack sequence
- actual
- sequence
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an attack detection method, preset attack sequence sets, wherein the preset attack sequence sets comprise a plurality of attack sequence classes, the attack sequence classes comprise at least one attack mode, and the detection method comprises the following steps: acquiring malicious behaviors; the malicious behavior corresponds to one of the attack modes; obtaining an actual attack sequence according to the malicious behavior; and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack. According to the method and the device, the malicious attack behaviors can be detected in an omnibearing manner, the probability of being bypassed due to single-dimension detection is reduced, and the detection intensity and the detection efficiency of the malicious behaviors are improved. The application also provides an attack detection system, a computer readable storage medium and electronic equipment, which have the beneficial effects.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular, to an attack detection method, an attack detection system, a storage medium, and an electronic device.
Background
The endpoint protection software of the system determines threats by means of behavior monitoring plus IOC (indicator of compromise, intrusion threat indicator), such as MD5 (message-digest algorithm) comparison of changed files and malicious files, monitoring network behavior and malicious DNS (Domain Name System, domain name service) comparison, and the like. The detection mode based on the single dimension is lagged, and the change cost of the IOC such as MD5, DNS and the like is low, so that the detection mode is very easy to bypass. Because of the lack of contextual information (association information) of the attack on the threat that occurs, it is difficult to capture a new APT (Advanced Persistent Threat, advanced sustainable threat attack) type attack by the IOC alone.
Currently, a single-point defense concept is adopted, key operations are monitored by driving or injecting a hook key function, black and white ash of an operation process MD5 is queried through a cloud, a popup window is intercepted for a non-white process, and a decision is made to a user whether to release or not. However, it is difficult to determine whether the single-point behavior belongs to a malicious program, and only the suspicious malicious program which cannot be specifically determined can be notified, and for a user, the method of disposal cannot be determined only from the alarm information, and the single-point behavior is easily bypassed, and whether the single-point behavior is under attack of the APT cannot be determined according to the single dangerous behavior information. Therefore, how to effectively prevent the APT attack is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the application is to provide an attack detection method, an attack detection system, a storage medium and electronic equipment, which can improve the detection intensity and detection efficiency of malicious behaviors.
In order to solve the above technical problems, the present application provides an attack detection method, preset an attack sequence set, where the preset attack sequence set includes a plurality of attack sequence classes, where the attack sequence classes include at least one attack mode, the detection method includes:
acquiring malicious behaviors; the malicious behavior corresponds to one of the attack modes;
obtaining an actual attack sequence according to the malicious behavior;
and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
Optionally, before the malicious behavior is acquired, the method further includes:
performing process monitoring on the collected behaviors, and determining the process change of the behaviors;
analyzing the flow in the behavior process change by using a network flow probe, and determining the flow content of the behavior;
judging whether the behavior belongs to an attack sequence class in the preset attack sequence set according to the traffic content;
if yes, determining that the behavior belongs to malicious behavior.
Optionally, determining whether the behavior belongs to the attack sequence class in the preset attack sequence set according to the traffic content includes:
judging whether the preset attack sequence set has a target attack sequence class containing the corresponding process of the behavior;
if the attack sequence exists, and the flow content belongs to the flow type generated by the attack mode in the target attack sequence class, judging that the behavior belongs to the attack sequence class in the preset attack sequence set.
Optionally, obtaining the actual attack sequence according to the malicious behavior includes:
monitoring the process change of the malicious behavior within a preset time range to obtain the associated behavior of the malicious behavior;
recording the malicious behaviors and all corresponding associated behaviors to obtain an actual attack sequence of the malicious behaviors
Optionally, before obtaining the detection result according to the attack sequence class and the actual attack sequence, the method further includes:
and configuring an attack sequence class according to the attack stage, and adding a corresponding attack mode for the attack sequence class according to the historical attack sequence to obtain the preset attack sequence set.
Optionally, obtaining the detection result according to the attack sequence class and the actual attack sequence includes:
if the actual attack sequence is the same as any historical attack sequence in a preset attack sequence set, or the malicious behaviors in the actual attack sequence belong to attack sequence classes in the preset attack sequence set, determining that the detection result of the attack detection is under the directional threat attack.
Optionally, if the actual attack sequence includes malicious behavior that does not belong to any attack sequence class, the method further includes:
analyzing the actual attack sequence and determining the threat degree of the actual attack sequence.
Optionally, analyzing the actual attack sequence, and determining the threat degree of the actual attack sequence includes:
determining a target attack sequence with the most same attack sequence class as the actual attack sequence in the preset attack sequence set, and distinguishing attack sequence classes of the actual attack sequence and the target attack sequence;
threat degree detection is carried out on malicious behaviors belonging to the different attack sequence class in the actual attack sequence, so that threat parameters are obtained;
and determining the actual threat degree of the actual attack sequence according to the known threat degree of the target attack sequence and the threat parameters.
Optionally, after obtaining the detection result according to the attack sequence class and the actual attack sequence, the method further includes:
and generating corresponding alarm information according to the detection result, wherein the alarm information is used for guiding the treatment of the malicious behavior and the actual attack sequence.
The application also provides an attack detection system, comprising:
the detection platform is used for acquiring malicious behaviors and obtaining an actual attack sequence of the malicious behaviors; invoking a preset attack sequence set to a cloud request, and matching the actual attack sequence by utilizing an attack sequence class in the preset attack sequence set to obtain a detection result; the detection result is used for representing a directional threat attack;
the cloud end is used for storing the preset attack sequence set.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method as described above.
The application also provides an electronic device comprising a memory in which a computer program is stored and a processor which when calling the computer program in the memory implements the steps of the method as described above.
The application provides an attack detection method, preset attack sequence sets, wherein the preset attack sequence sets comprise a plurality of attack sequence classes, the attack sequence classes comprise at least one attack mode, and the detection method comprises the following steps: acquiring malicious behaviors; the malicious behavior corresponds to one of the attack modes; obtaining an actual attack sequence according to the malicious behavior; and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
According to the method and the device, after the malicious behaviors are confirmed, the actual attack sequences are monitored, the preset attack sequence set is called to conduct attack detection judgment on the actual attack sequences, and the attack sequences are judged, so that the method and the device are essentially characterized in that the attack detection judgment is conducted according to a plurality of dimensions contained in the attack sequences, the detection of single dimensions is avoided, the malicious attack behaviors can be detected in an omnibearing manner, the bypassing probability of the single dimension detection is reduced, and the detection intensity and the detection efficiency of the malicious behaviors are improved.
The application further provides an attack detection system, a computer readable storage medium and an electronic device, which have the above beneficial effects and are not described herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
Fig. 1 is a flowchart of an attack detection method provided in an embodiment of the present application;
FIG. 2 is a flowchart of a malicious behavior determination process according to an embodiment of the present application;
FIG. 3 is a flowchart of another malicious behavior determination process provided by an embodiment of the present application;
FIG. 4 is a flowchart of a process for determining threat level of the actual attack sequence according to an embodiment of the present application;
fig. 5 is an application architecture diagram of an attack detection method provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Referring to fig. 1, fig. 1 is a flowchart of an attack detection method provided in an embodiment of the present application, where the method includes:
s101: acquiring malicious behaviors;
the present embodiment is directed to attack detection, and may be applied to a terminal, or a detection platform, a detection device, etc. connected to the terminal, and the malicious behavior may originate from any device or system that may be an object to be attacked, including, but not limited to, various mobile devices, gateway devices, servers, etc.
The step aims at acquiring malicious behaviors, and the judging process of whether the step comprises the behavior which is the malicious behavior is not limited. The manner of determining the malicious behavior is not particularly limited herein. The malicious behaviors can be distinguished in units of processes, but those skilled in the art can also perform division of the malicious behaviors in other manners, for example, according to behavior content of the malicious behaviors, and the like.
In addition, how to determine whether the behavior is a malicious behavior is not particularly limited, and for example, the attack characteristics of the attack behavior can be set by a person skilled in the art, and the attack characteristics are regarded as malicious behaviors after the behavior conforms to a certain number of attack characteristics.
In particular, a preset attack sequence set exists before the step, and if the behavior accords with the attack behavior in any attack sequence class in the preset attack sequence set, the attack behavior can be directly used as a malicious behavior.
S102: obtaining an actual attack sequence according to the malicious behavior;
after the malicious behavior is determined, the step can monitor the malicious behavior, so that a corresponding actual attack sequence is obtained. Of course, other ways of obtaining the actual attack sequence may be used, such as tracking or locating malicious behavior. Taking interception as an example, the specific interception process is not limited, and a corresponding interception mode can be adopted according to definition content aiming at malicious behaviors. For example, if the malicious behavior is in units of processes, operations performed by the process corresponding to the malicious behavior may be monitored, including, but not limited to, any one or a combination of any several of process creation, process exit, process injection, memory read-write, registry operation, file operation, service operation, and network behavior, which may be used as a monitoring scope of the malicious behavior. The aim of the monitoring is to determine all the associated behaviors and associated data of the malicious behavior and to obtain therefrom the actual attack sequence of the malicious behavior. Therefore, the actual attack sequence contains the malicious behavior application, all the associated behaviors after the malicious behavior and corresponding associated data.
In addition, if a monitoring mode is adopted, corresponding monitoring parameters, such as monitoring time, can be configured for monitoring malicious behaviors. Because malicious attacks, although highly hidden, typically perform malicious operations as soon as possible after intrusion in order to achieve the purpose of the attack, a preset time range may be configured for the listening time, once the preset time range is exceeded, malicious behaviors may be considered to have not continued the attack, or may have been identified by the security protection system of the terminal system itself, after which the listening of the malicious behaviors may be stopped. Of course, the duration of the preset time range is not particularly limited herein.
S103: and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
The step aims at matching the actual attack sequence by using a preset attack sequence set to obtain a corresponding detection result.
The preset attack sequence set can be stored in the cloud as threat information data of the IOA & IOC (indicator of attack and indicator of compromise, attack indexes and intrusion threat indexes), so that the local data storage pressure is reduced, and the on-line updating of the preset attack sequence set is also facilitated. Of course, the preset attack sequence set may also be maintained at the local terminal or the server.
The attack sequence sets are maintained, each attack sequence set comprises a plurality of attack modes, the division of the attack sequence sets is determined by the attack flow, namely the attack sequence sets are divided according to the time sequence of the attack, and the attack life cycle is generally divided into corresponding attack sequence sets. For example, ATT & CK (Adversarial Tactics, techniques, and Common Knowledge, a model and knowledge base reflecting the attack behaviour of the individual attack lifecycles) may be used to determine attack sequence classes, which may include, for example, reconnaissance, resource development, initial access, execution, persistence, right-lifting, defense avoidance, credential access, discovery, lateral movement, collection, command and control, data backhaul, and impact. Wherein the reconnaissance gathers information for an attacker to perform the operation; resource development involves creating or stealing techniques for implementing malicious attacks (e.g., acquiring email accounts, signing certificates); initial access refers to techniques for achieving targeted harpoon fishing or finding a target vulnerability; executing techniques employed by an attacker to run malicious code (e.g., executing a local script using a remote access tool); persistence refers to a technology for keeping access after a malicious attack program enters a system in order to avoid disconnection caused by restarting and the like, and can comprise, for example, hijacking a starting program of the system; the right-raising refers to a technology for acquiring the advanced right of the system; defensive avoidance refers to techniques for avoiding being discovered during an attack, including offloading or disabling secure software, or masquerading trusted processes, etc.; the credential access refers to a technology of stealing the credential, wherein the credential comprises a user name, a password and the like, and when a malicious attacker steals the credential, the malicious attacker can log in a system by using legal credential and steal data, so that the credential is more difficult to be detected by a normal security monitoring system; discovering a technology for an attacker to acquire the internal information of the system so as to facilitate the attacker to quickly determine the target of the attacker; lateral motion refers to a technology for an attacker to realize lateral intrusion of a malicious program, for example, after penetrating into a certain device, for example, the lateral motion technology completes intrusion of other devices; techniques for collecting feedback data by an attacker, such as capturing screen and keyboard data information, etc.; command and control refer to the manipulation by an attacker for implementing the hacked system; data backhaul refers to techniques that receive stolen data, such as compression or encryption after packaging; the impact refers to a technique by which an attacker destroys or tampers with data.
It should be noted that, not every attack corresponding to the actual attack sequence needs to include each attack sequence class, and the actual attack sequence class may only include a part of attack sequence classes, which generally includes at least two processes of execution and data feedback. For example, not all malicious attacks need to implement persistence and lateral movement. And the actual attack sequence does not necessarily have to contain the first occurring class of attack sequences. In addition, in other embodiments of the present application, other attack sequence classes may be included, or several attack sequence classes described above may be combined to obtain one attack sequence class, which is also within the protection scope of the present application.
In addition, the attack modes contained in each attack sequence class and the historical attack sequences can be maintained in the preset attack sequence set. It is easy to understand that the more comprehensive the attack mode of the preset attack sequence set maintenance is, the higher the detection success rate of attack detection is. Regardless of which attack sequence classes the preset attack sequence set contains, each attack mode in the preset attack sequence set needs to belong to a unique corresponding attack sequence class. And the attack modes contained in any historical attack sequence are enabled to have corresponding attack sequence classes. And, in this embodiment, the attack behaviors included in each attack sequence class are not specifically limited, and it is easy to understand that the more comprehensive the attack behaviors included in the attack sequence class, the higher the success rate of attack detection.
The specific generation process of the preset attack sequence set is not limited, and the attack sequence class can be configured according to the attack stage, and a corresponding attack mode is added to the attack sequence class according to the historical attack sequence to obtain the preset attack sequence set. Firstly determining attack sequence classes, for example, configuring an attack sequence class for each attack stage according to a plurality of attack stages described above, referring to the historical attack sequences, judging the attack sequence classes one by one according to attack modes contained in the historical attack sequences, filling the attack sequence classes into the corresponding attack sequence classes, and finally realizing the establishment of a preset attack sequence set. Of course, the preset attack sequence set may be configured as an updatable preset attack sequence set, that is, updated for the attack modes included in each attack sequence class, so as to further improve the success rate of detecting the malicious attack.
The step aims at matching the actual attack sequence by using the preset attack sequence set, and it is noted that the sequence matching is performed, each attack behavior in the actual attack sequence needs to be matched, and not just any behavior in the actual attack sequence is independently matched. When the sequences are matched, if the actual attack sequence is the same as any historical attack sequence in the preset attack sequence set, or the attack behaviors in the actual attack sequence belong to attack sequence classes in the preset attack sequence set, the detection result of the attack detection can be determined to be under the advanced sustainable threat attack, namely the APT attack. When the actual attack sequence is the same as a certain historical attack sequence, the attack can be certainly performed. If the historical attack sequence which is the same as the actual attack sequence is not detected, but the attack behaviors contained in the actual attack sequence are determined to belong to the attack sequence class, the attack can still be determined. It should be noted that the process generally needs to match the attack behaviors one by one with the attack behaviors contained in the attack sequence classes, so as to determine the attack sequence class corresponding to each attack behavior. As a more preferable execution procedure, after confirming receipt of the attack, since the preset attack sequence set does not include the same historical attack sequence as the actual attack sequence at this time, the actual attack sequence may be added as the historical attack sequence to the preset attack sequence set.
If the actual attack sequence contains attack behaviors which do not belong to any attack sequence class, the fact that at least attack behaviors which are not contained in a preset attack sequence set exist in the actual attack sequence is indicated. At this time, the actual attack sequence can be parsed, so as to determine the threat degree of the actual attack sequence. When the actual attack sequence has unidentified attack behaviors, the attack can be definitely carried out at the same time. There is no specific limitation on how the threat level of the actual attack sequence is determined.
It should be noted that, the specific content of the detection result is not limited in this embodiment, and the detection result is used to characterize the directional threat attack, and may be a determination result of whether the attack is an APT attack, or may further include relevant parameter data such as threat degree of the APT attack on this basis, for example, location information of the attacked system, etc. But the detection result at least comprises a judgment result of whether the attack is carried out.
After the attack is determined, an alarm can be performed, a specific mode of the alarm is not limited, and an alarm log can be generated, for example. If the terminal executes the process of the embodiment by itself, the alarm log can be uploaded. Of course, the alarm log may include information such as malicious behavior and an actual attack sequence, and may also include data such as threat level of attack detection.
According to the embodiment of the application, after the malicious behaviors are confirmed, the actual attack sequences are monitored, the preset attack sequence set is called to conduct attack detection judgment on the actual attack sequences, and the attack sequences are judged, so that the attack detection judgment is conducted according to the multiple dimensions contained in the attack sequences, the detection of single dimensions is avoided, the malicious attack behaviors can be detected in an omnibearing manner, the bypassing probability of the single dimension detection is reduced, and the detection intensity and the detection efficiency of the malicious behaviors are improved.
Based on the above embodiments, as a preferred embodiment, description is made below regarding how to determine malicious behaviors, but it should be noted that the determining process of malicious behaviors disclosed in this embodiment is only a preferred and general execution process, and those skilled in the art may also have the ability to perform the determining of malicious behaviors in other manners based on this embodiment, which is not limited herein by way of example. Referring to fig. 2, fig. 2 is a flowchart of a malicious behavior determination process provided in an embodiment of the present application, where the determination process is as follows:
s1011: performing process monitoring on the collected behaviors, and determining the process change of the behaviors;
the step aims at monitoring the process of the collected behaviors, the behaviors can be collected by using a behavior probe, the behaviors aimed at in the step can be all the behaviors in the equipment or the system or any one of the behaviors, namely, the behavior range in the step can be freely set by a person skilled in the art, for example, if the safety degree of a certain equipment is higher, all the behaviors aimed at the equipment can be set for collection. The specific form of the behavior probe is not limited herein, and the collection of the behavior may be performed by using a kernel driver or an application layer hook as the behavior probe. The collected behavior is in units of processes in this embodiment, and may be in units of other divisions in other embodiments. If the process is taken as a unit, the process can comprise the actions of process creation, process exit, process injection, memory read-write, registry operation, file operation, service operation, network action and the like.
S1012: analyzing the flow in the behavior process change by using a network flow probe, and determining the flow content of the behavior;
this step requires analysis of the traffic of the process. By monitoring the behaviors, the operation content executed by the behaviors can be clarified, the operation content comprises information such as operation addresses and operation objects, and the like, and at the moment, the network acquisition probes can be used for acquiring traffic. The specific flow collection mode is not limited, and the flow of the behavior can be obtained by obtaining the bypass mirror image flow, and the normal operation of the equipment or the system is not affected. The traffic data may include, but is not limited to, protocol, IP address, DNS (Domain Name System), etc. information for the traffic.
S1013: judging whether the behavior belongs to an attack sequence class in the preset attack sequence set according to the traffic content; if yes, go to S1014;
this step aims at making a determination of malicious behaviour from the content of the behaviour traffic. As described above, various attack behaviors are maintained in the preset attack sequence set, and thus, this step can determine the behavior according to the known attack behaviors in the preset attack sequence set. Of course, it is readily appreciated that this process requires that the preset set of attack sequences require maintenance of attack behavior and traffic characteristics in order to make the comparison and determination at this step. Specifically, it may be determined whether the preset attack sequence set has a target attack sequence class including the process corresponding to the behavior, and if so, the traffic content belongs to a traffic type generated by an attack manner in the target attack sequence class, and it is determined that the behavior belongs to the attack sequence class in the preset attack sequence set, that is, the behavior belongs to the malicious behavior in the foregoing embodiment.
In addition, the process and the flow can be combined to judge whether the behavior belongs to the malicious behavior, namely, on the basis of detecting the flow content, the process change of the behavior is comprehensively judged, so that the judging accuracy of the malicious behavior can be further improved.
S1014: determining that the behavior belongs to a malicious behavior.
When the corresponding attack sequence class cannot be determined according to the traffic content of the behavior, the behavior can be considered not to belong to the malicious behavior.
In particular, if the behavior belongs to the terminal, step S1013 in the embodiment is not necessarily executed at the terminal, but the behavior can be uploaded to the detection platform by the terminal for detection, and the detection platform can request the preset attack sequence set from the cloud when executing step S1013.
As a more preferable implementation manner of this embodiment, referring to fig. 3, fig. 3 is a flowchart of another malicious behavior determination process provided in this embodiment of the present application, after step S1012, the behavior and the traffic may be uploaded to a detection platform. And when executing step S1013, the detection platform may be used to invoke a preset attack sequence set from the cloud to perform matching judgment on the traffic content of the behavior. The preset attack sequence set is arranged on the cloud end, so that the local data storage pressure can be reduced, and the on-line updating of the preset attack sequence set is also facilitated.
On the basis of the above embodiment, the present embodiment further optimizes a process of how to monitor the malicious behavior and obtain an actual attack sequence of the malicious behavior, where the process may be as follows:
s1021: monitoring the process change of the malicious behavior within a preset time range to obtain the associated behavior of the malicious behavior;
s1022: recording the malicious behaviors and all corresponding associated behaviors thereof to obtain an actual attack sequence of the malicious behaviors.
The preset time range is not particularly limited, and may be freely set by those skilled in the art, for example, 5 minutes, or may be set according to a safety detection period of the system itself. If the correlation behavior of the malicious behavior also belongs to a certain attack sequence class in a preset time range, the correlation behavior of the malicious behavior can be directly classified into an actual attack sequence.
It should be noted that, in this embodiment, the association behavior is at least a first-level association behavior of the malicious behavior, that is, the malicious behavior is taken as an initial behavior, the association behavior directly triggered by the malicious behavior is referred to as a first-level association behavior, the behavior indirectly triggered by the first-level association behavior is referred to as a second-level association behavior …, so as to be pushed, and the finally obtained actual attack sequence should include the malicious behavior and all corresponding association behaviors, that is, all first-level association behaviors, second-level association behaviors, third-level association behaviors, and so on.
Further, based on the above embodiment, as a preferred implementation procedure, the following is a detailed description of how to parse an actual attack sequence and determine the threat level of the actual attack sequence when the actual attack sequence includes an attack behavior that does not exist in a preset attack sequence set, and referring to fig. 4, fig. 4 is a process flow chart for determining the threat level of the actual attack sequence provided in the embodiment of the present application, where the process is as follows:
s201: determining a target attack sequence with the most same attack sequence class as the actual attack sequence in the preset attack sequence set, and distinguishing attack sequence classes of the actual attack sequence and the target attack sequence;
s202: threat degree detection is carried out on malicious behaviors belonging to the different attack sequence class in the actual attack sequence, so that threat parameters are obtained;
s203: and determining the actual threat degree of the actual attack sequence according to the known threat degree of the target attack sequence and the threat parameters.
Specifically, a target attack sequence most similar to an actual attack sequence is found in a preset attack sequence set, and the target attack sequence can be derived from a historical attack sequence. The target attack sequence only requires the same attack sequence class that is present in the largest number as the actual attack sequence. In other words, the target attack sequence and the actual attack sequence have attack sequence classes which are highly similar or even identical, that is, the attack flows of the target attack sequence and the actual attack sequence are highly similar or even identical, so that threat degree speculation can be performed on the actual attack sequence according to the target attack sequence with known threat degree. The threat degree detection is carried out on the differential attack behaviors of the target attack sequence and the target attack sequence to obtain corresponding threat parameters, and the actual threat degree of the actual attack sequence is determined based on the known threat degree of the target attack sequence and the threat parameters. The threat parameters are not particularly limited here, and may be set relatively by those skilled in the art with reference to the attack object of the attack, the attack mode, the degree of damage of the data, and the like. Similarly, the known threat level of the target attack sequence should also be calculated based on the same set-up architecture.
According to the embodiment, when the actual attack sequence of the malicious behavior is not completely identified by the preset attack sequence set, the threat degree of the target attack sequence can be reasonably estimated, so that the judgment of the threat degree of the malicious behavior is realized, the sequential treatment according to the threat degree is facilitated, and the system safety is improved.
The following describes a specific application process of matching an actual attack sequence in the attack detection method provided by the application, and defaults that a preset attack sequence set is already configured when the application is completed, the preset attack sequence set comprises 5 attack sequence classes A, B, C, D, E and is executed according to the sequence of A- & gt, B- & gt, C- & gt, D- & gt, E, wherein A = { a1, a2, a3}, that is, the attack sequence class A comprises three attack modes of a1, a2 and a3, and similarly, B = { B1, B2, B3}, C = { C1, C2, C3}, D = { D1, D2, D3}, E = { E1, E2, E3}.
If the malicious behavior a1 is detected and monitored, an actual attack sequence a1→b2→c2 of the malicious behavior a1 is obtained, at the moment, the actual attack sequence is matched by using a preset attack sequence set, and the attack behaviors contained in the attack sequence classes A, B, C are confirmed as a1, b2 and c2, and at the moment, the attack can be confirmed.
If the malicious behavior b1 is detected and monitored, an actual attack sequence b1→c3→e2 of the malicious behavior b1 is obtained, at the moment, the actual attack sequence is matched by using a preset attack sequence set, and the attack behaviors contained in attack sequence classes B, C, E are confirmed to be b1, c3 and e2 respectively, and at the moment, the attack can be confirmed.
If the malicious behavior a1 is detected and monitored to obtain an actual attack sequence a1→b4→d2 of the malicious behavior a1, at the moment, the actual attack sequence is matched by using a preset attack sequence set, the preset attack sequence set is found to not contain b4 but contain a historical attack sequence a1→b2→d2, at the moment, threat degree detection is carried out on b4 according to threat degree of the historical attack sequence a1→b2→d2 to obtain threat parameters, and threat degree of the actual attack sequence a1→b4→d2 is confirmed by combining threat degree of the historical attack sequence a1→b2→d2 and threat parameters.
The following describes an attack detection system provided by the present application, and referring to fig. 5, fig. 5 is an application architecture diagram of the attack detection system provided by the embodiment of the present application, which is formed by a cloud end and a detection platform, and may further include a plurality of terminals that are communicated with the detection platform. Wherein:
the detection platform is used for acquiring malicious behaviors and obtaining an actual attack sequence of the malicious behaviors; invoking a preset attack sequence set to a cloud request, and matching the actual attack sequence by utilizing an attack sequence class in the preset attack sequence set to obtain a detection result; the detection result is used for representing a directional threat attack;
the cloud end is used for storing the preset attack sequence set.
The terminal collects behaviors by using a behavior probe, collects the flow of the behaviors by using a network flow probe, packages the flow into a preset format by the terminal, and uploads the flow to the detection platform; in the process, the behaviors and the flow can be packaged respectively or together; the detection platform requests a preset attack sequence set from the cloud, judges whether the behavior belongs to any attack sequence class in the preset attack sequence set according to the process change and the flow content of the behavior, and if so, determines that the behavior is a malicious behavior.
Monitoring the process change of the malicious behavior in a preset time range at the terminal, and recording the associated behavior of the malicious behavior to obtain an actual attack sequence;
uploading the actual attack sequence to a detection platform by the terminal, and matching the actual attack sequence by the detection platform by using a preset attack sequence set to obtain a detection result. The detection result can be returned to the terminal later, or the alarm can be directly executed.
It can be seen that the detection platform can be simultaneously connected with a plurality of terminal devices, so that the attack detection of the detection platform on the terminal is realized, and the network information security of the terminal is ensured.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, can implement the steps of the malicious encrypted traffic detection method provided in the above embodiments. The storage medium may include: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The application also provides an electronic device, which can include a memory and a processor, wherein the memory stores a computer program, and the processor can realize the steps of the attack detection method provided by the embodiment when calling the computer program in the memory. Of course the electronic device may also include various network interfaces, power supplies, etc. Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device provided in an embodiment of the present application, where the electronic device in the embodiment may include: a processor 2101 and a memory 2102.
Optionally, the electronic device may further comprise a communication interface 2103, an input unit 2104 and a display 2105 and a communication bus 2106.
The processor 2101, memory 2102, communication interface 2103, input unit 2104, display 2105, and all communicate with each other via communication bus 2106.
In the embodiment of the present application, the processor 2101 may be a central processing unit (Central Processing Unit, CPU), an asic, a dsp, an off-the-shelf programmable gate array, or other programmable logic device.
The processor may call a program stored in the memory 2102. In particular, the processor may perform the operations performed by the electronic device in the above embodiments.
The memory 2102 is used to store one or more programs, and the programs may include program code that includes computer operation instructions, and in this embodiment, at least the programs for implementing the following functions are stored in the memory:
acquiring malicious behaviors; the malicious behavior corresponds to one of the attack modes;
obtaining an actual attack sequence according to the malicious behavior;
and obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing the directional threat attack.
In one possible implementation, the memory 2102 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, and at least one application program required for functions (such as topic detection functions, etc.), and the like; the storage data area may store data created during use of the computer.
In addition, memory 2102 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 2103 may be an interface of a communication module, such as an interface of a GSM module.
The application may also include a display 2105 and an input unit 2104, and so on.
The structure of the electronic device shown in fig. 6 is not limited to the electronic device in the embodiment of the present application, and the electronic device may include more or fewer components than those shown in fig. 6 or may combine some components in practical applications.
In the description, each embodiment is described in a progressive manner, and each embodiment is mainly described by the differences from other embodiments, so that the same similar parts among the embodiments are mutually referred. The system provided by the embodiment is relatively simple to describe as it corresponds to the method provided by the embodiment, and the relevant points are referred to in the description of the method section.
Specific examples are set forth herein to illustrate the principles and embodiments of the present application, and the description of the examples above is only intended to assist in understanding the methods of the present application and their core ideas. It should be noted that it would be obvious to those skilled in the art that various improvements and modifications can be made to the present application without departing from the principles of the present application, and such improvements and modifications fall within the scope of the claims of the present application.
It should also be noted that in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An attack detection method is characterized in that a preset attack sequence set is preset, the preset attack sequence set comprises a plurality of attack sequence classes, the attack sequence classes comprise at least one attack mode, and the detection method comprises the following steps:
acquiring malicious behaviors; the malicious behavior corresponds to one of the attack modes;
obtaining an actual attack sequence according to the malicious behavior;
obtaining a detection result according to the attack sequence class and the actual attack sequence, wherein the detection result is used for representing a directional threat attack;
if the actual attack sequence includes malicious behaviors that do not belong to any attack sequence class, the method further includes:
analyzing the actual attack sequence and determining the threat degree of the actual attack sequence;
analyzing the actual attack sequence, and determining the threat degree of the actual attack sequence comprises the following steps:
determining a target attack sequence with the most same attack sequence class as the actual attack sequence in the preset attack sequence set, and distinguishing attack sequence classes of the actual attack sequence and the target attack sequence;
threat degree detection is carried out on malicious behaviors belonging to the different attack sequence class in the actual attack sequence, so that threat parameters are obtained;
and determining the actual threat degree of the actual attack sequence according to the known threat degree of the target attack sequence and the threat parameters.
2. The attack detection method according to claim 1, wherein before the malicious behavior is acquired, further comprising:
performing process monitoring on the collected behaviors, and determining the process change of the behaviors;
analyzing the flow in the behavior process change by using a network flow probe, and determining the flow content of the behavior;
judging whether the behavior belongs to an attack sequence class in the preset attack sequence set according to the traffic content;
if yes, determining that the behavior belongs to malicious behavior.
3. The detection method according to claim 2, wherein determining whether the behavior belongs to an attack sequence class in the preset attack sequence set according to the traffic content comprises:
judging whether the preset attack sequence set has a target attack sequence class containing the corresponding process of the behavior;
if the attack sequence exists, and the flow content belongs to the flow type generated by the attack mode in the target attack sequence class, judging that the behavior belongs to the attack sequence class in the preset attack sequence set.
4. The attack detection method according to claim 1, wherein deriving an actual attack sequence from the malicious behavior comprises:
monitoring the process change of the malicious behavior within a preset time range to obtain the associated behavior of the malicious behavior;
recording the malicious behaviors and all corresponding associated behaviors thereof to obtain an actual attack sequence of the malicious behaviors.
5. The attack detection method according to claim 1, further comprising, before obtaining a detection result according to the attack sequence class and the actual attack sequence:
and configuring an attack sequence class according to the attack stage, and adding a corresponding attack mode for the attack sequence class according to the historical attack sequence to obtain the preset attack sequence set.
6. The attack detection method according to claim 1, wherein obtaining the detection result according to the attack sequence class and the actual attack sequence comprises:
if the actual attack sequence is the same as any historical attack sequence in a preset attack sequence set, or the malicious behaviors in the actual attack sequence belong to attack sequence classes in the preset attack sequence set, determining that the detection result of the attack detection is under the directional threat attack.
7. The attack detection method according to any one of claims 1-6, wherein after obtaining a detection result according to the attack sequence class and the actual attack sequence, further comprising:
and generating corresponding alarm information according to the detection result, wherein the alarm information is used for guiding the treatment of the malicious behavior and the actual attack sequence.
8. An attack detection system, comprising:
the detection platform is used for acquiring malicious behaviors and obtaining an actual attack sequence of the malicious behaviors; invoking a preset attack sequence set to a cloud request, and matching the actual attack sequence by utilizing an attack sequence class in the preset attack sequence set to obtain a detection result; the detection result is used for representing a directional threat attack;
wherein, the detection platform is further used for executing the following steps:
analyzing the actual attack sequence and determining the threat degree of the actual attack sequence;
analyzing the actual attack sequence, and determining the threat degree of the actual attack sequence comprises the following steps:
determining a target attack sequence with the most same attack sequence class as the actual attack sequence in the preset attack sequence set, and distinguishing attack sequence classes of the actual attack sequence and the target attack sequence;
threat degree detection is carried out on malicious behaviors belonging to the different attack sequence class in the actual attack sequence, so that threat parameters are obtained;
determining the actual threat degree of the actual attack sequence according to the known threat degree of the target attack sequence and the threat parameters;
the cloud end is used for storing the preset attack sequence set.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the attack detection method according to any of claims 1-7.
10. An electronic device comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the steps of the attack detection method according to any of claims 1-7 when the computer program in the memory is invoked by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110741980.0A CN113472789B (en) | 2021-06-30 | 2021-06-30 | Attack detection method, attack detection system, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110741980.0A CN113472789B (en) | 2021-06-30 | 2021-06-30 | Attack detection method, attack detection system, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113472789A CN113472789A (en) | 2021-10-01 |
| CN113472789B true CN113472789B (en) | 2023-05-16 |
Family
ID=77876914
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110741980.0A Active CN113472789B (en) | 2021-06-30 | 2021-06-30 | Attack detection method, attack detection system, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113472789B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338118B (en) * | 2021-12-22 | 2024-06-21 | 北京未来智安科技有限公司 | ATT & CK threat detection method and device |
| CN115208659A (en) * | 2022-07-13 | 2022-10-18 | 杭州安恒信息技术股份有限公司 | Simulation detection method, device, equipment and medium for intranet attack |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN111901296A (en) * | 2020-06-17 | 2020-11-06 | 深圳市金城保密技术有限公司 | Network attack behavior detection method and detection system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103312679B (en) * | 2012-03-15 | 2016-07-27 | 北京启明星辰信息技术股份有限公司 | The detection method of senior constant threat and system |
| CN105809035B (en) * | 2016-03-07 | 2018-11-09 | 南京邮电大学 | The malware detection method and system of real-time behavior is applied based on Android |
| US11089035B2 (en) * | 2017-12-11 | 2021-08-10 | Radware Ltd. | Techniques for predicting subsequent attacks in attack campaigns |
| CN111651767A (en) * | 2020-06-05 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Abnormal behavior detection method, device, equipment and storage medium |
| CN112686114A (en) * | 2020-12-23 | 2021-04-20 | 杭州海康威视数字技术股份有限公司 | Behavior detection method, device and equipment |
-
2021
- 2021-06-30 CN CN202110741980.0A patent/CN113472789B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN111901296A (en) * | 2020-06-17 | 2020-11-06 | 深圳市金城保密技术有限公司 | Network attack behavior detection method and detection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113472789A (en) | 2021-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2979424B1 (en) | Method and apparatus for detecting a multi-stage event | |
| CN105939326B (en) | Method and device for processing message | |
| US9870470B2 (en) | Method and apparatus for detecting a multi-stage event | |
| US20170034189A1 (en) | Remediating ransomware | |
| US20210344689A1 (en) | Distributed threat sensor data aggregation and data export | |
| CN111756702B (en) | Data security protection method, device, equipment and storage medium | |
| CN107332811A (en) | The methods, devices and systems of intrusion detection | |
| CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
| CN113472789B (en) | Attack detection method, attack detection system, storage medium and electronic device | |
| CN103607385A (en) | Method and apparatus for security detection based on browser | |
| CN104426850A (en) | Vulnerability detection method based on plug-in | |
| CN105429953B (en) | A kind of methods, devices and systems for accessing website | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| CN114329489A (en) | Web application program vulnerability attack detection method, server, electronic equipment and storage medium | |
| US9350754B2 (en) | Mitigating a cyber-security attack by changing a network address of a system under attack | |
| US12041094B2 (en) | Threat sensor deployment and management | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| Keong Ng et al. | VoterChoice: A ransomware detection honeypot with multiple voting framework | |
| CN111800405A (en) | Detection method, detection device and storage medium | |
| CN105378745A (en) | Disabling and initiating nodes based on security issue | |
| CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
| Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
| CN113141335A (en) | Network attack detection method and device | |
| CN105187449B (en) | A kind of interface call method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |