CN114363010A - APT attack detection method, device and system of server and storage medium - Google Patents
APT attack detection method, device and system of server and storage medium Download PDFInfo
- Publication number
- CN114363010A CN114363010A CN202111525523.4A CN202111525523A CN114363010A CN 114363010 A CN114363010 A CN 114363010A CN 202111525523 A CN202111525523 A CN 202111525523A CN 114363010 A CN114363010 A CN 114363010A
- Authority
- CN
- China
- Prior art keywords
- server
- apt attack
- apt
- traffic information
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 27
- 238000000034 method Methods 0.000 claims abstract description 38
- 230000008569 process Effects 0.000 claims abstract description 23
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004364 calculation method Methods 0.000 claims description 7
- 239000000523 sample Substances 0.000 claims description 7
- 230000001960 triggered effect Effects 0.000 claims description 5
- 230000007123 defense Effects 0.000 abstract description 6
- 230000009471 action Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an APT attack detection method of a server, which is characterized by comprising the following steps: acquiring flow information corresponding to the server IP; identifying APT attack traffic information from the traffic information; and judging whether the server is attacked by the APT according to the APT attack flow information, and if so, sending APT attack prompt information. The method comprises the steps of obtaining flow information corresponding to a server IP, identifying APT attack flow information from the flow information, further judging whether a corresponding server is attacked by the APT according to the APT attack flow information, and sending APT attack prompt information when the server is determined to be attacked by the APT; the invention can realize the detection of the server APT attack condition in the using process and prompt the APT attack in time so as to take defense measures to the server in time and improve the information security.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method, an apparatus, a system, and a computer-readable storage medium for detecting an APT attack on a server.
Background
The APT attack technical means is an important ability for development of information organizations and network battle troops of various countries and is an important tool for profit of black-product groups at present. With the increasing increase of the struggle of various countries and the prosperity of the internet economy of China in the future, various information systems of China will become important targets of APT attack, and for one server, a good daily operation condition is very important. More and more organizations are beginning to focus on the daily operation of servers.
However, at present, since each server maintainer cannot identify whether the server is under the APT attack, it cannot take a defensive measure against the attack, which may cause the normal operation of the server to be affected, and even the information of the user to be stolen.
Therefore, how to provide an APT attack detection method, apparatus, system and computer readable storage medium for a server becomes a problem to be solved by those skilled in the art.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a system, and a computer-readable storage medium for detecting an APT attack of a server, which can detect an APT attack condition of the server during a use process, and prompt an APT attack in time, so as to take a defense measure against the server in time and improve information security.
In order to solve the above technical problem, an embodiment of the present invention provides a method for detecting an APT attack of a server, including:
acquiring flow information corresponding to the server IP;
identifying APT attack traffic information from the traffic information;
and judging whether the server is attacked by the APT according to the APT attack flow information, and if so, sending APT attack prompt information.
Optionally, the process of acquiring the traffic information corresponding to the server IP is as follows:
acquiring the traffic information of the latest n time periods corresponding to the server IP through an APT probe;
then, the process of identifying the APT attack traffic information from the traffic information is as follows:
and identifying APT attack traffic information from the traffic information of each time period.
Optionally, the process of determining whether the server is attacked by the APT attack according to the APT attack traffic information is as follows:
calculating the APT attack score of the server according to the APT attack traffic information of each time period;
and judging whether the APT attack score is larger than a preset threshold value, if so, enabling the server to be attacked by the APT, and if not, enabling the server not to be attacked by the APT.
Optionally, the process of calculating the APT attack score of the server according to the APT attack traffic information of each time segment is as follows:
calculating the APT attack traffic size corresponding to each time period according to the APT attack traffic information of each time period;
calculating the APT attack score of the server according to the APT attack traffic and a preset calculation relation; wherein:
the preset calculation relation is as follows:
Optionally, the process of sending the APT attack prompt message is as follows:
acquiring a pre-stored push address corresponding to the server IP;
and sending APT attack prompt information to the push address.
The embodiment of the invention also provides an APT attack detection device of a server, which comprises:
the acquisition module is used for acquiring the flow information corresponding to the server IP;
the identification module is used for identifying APT attack traffic information from the traffic information;
the judging module is used for judging whether the server is attacked by the APT according to the APT attack flow information, and if so, the sending module is triggered;
and the sending module is used for sending APT attack prompt information.
Optionally, the obtaining module is specifically configured to obtain, through the APT probe, traffic information of the latest n time periods corresponding to the server IP;
the identifying module is specifically configured to identify APT attack traffic information from the traffic information of each time period.
Optionally, the determining module includes:
the calculating unit is used for calculating the APT attack score of the server according to the APT attack traffic information of each time period;
the judging unit is used for judging whether the APT attack score is larger than a preset threshold value or not, if so, the server is attacked by the APT, and the sending module is triggered; and if not, the server is not attacked by the APT, and the process is finished.
The embodiment of the invention also provides an APT attack detection system of a server, which comprises:
a memory for storing a computer program;
and the processor is used for realizing the steps of the APT attack detection method of the server when executing the computer program.
The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the APT attack detection method of the server are implemented as described above.
The APT attack detection method of the server in the embodiment of the invention is characterized by comprising the following steps: acquiring flow information corresponding to the server IP; identifying APT attack traffic information from the traffic information; and judging whether the server is attacked by the APT according to the APT attack flow information, and if so, sending APT attack prompt information. Therefore, in the embodiment of the invention, the traffic information corresponding to the IP of the server is obtained, the APT attack traffic information is identified from the traffic information, whether the corresponding server is attacked by the APT is further judged according to the APT attack traffic information, and the APT attack prompt information is sent out when the server is determined to be attacked by the APT; the invention can realize the detection of the server APT attack condition in the using process and prompt the APT attack in time so as to take defense measures to the server in time and improve the information security.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed in the prior art and the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart of an APT attack detection method for a server according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an APT attack detection apparatus of a server according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method, a device and a system for detecting the APT attack of a server and a computer readable storage medium, which can realize the detection of the APT attack condition of the server in the using process and prompt the APT attack in time so as to take defense measures to the server in time and improve the information security.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flowchart illustrating an APT attack detection method of a server according to an embodiment of the present invention. The method comprises the following steps:
s110: acquiring flow information corresponding to the server IP;
it should be noted that, in the embodiment of the present invention, an IP of a server to be detected may be obtained in advance, and then traffic information corresponding to the server IP is obtained according to the server IP, and of course, in practical applications, a plurality of server IPs may be configured in advance to detect an APT attack situation of a plurality of servers.
S120: identifying APT attack traffic information from the traffic information;
specifically, in the embodiment of the present invention, after the traffic information is obtained, the APT attack traffic information is identified from the traffic information, and specifically, whether the traffic information is the APT attack traffic information may be identified through information such as a request header of the traffic information, a request frequency, and an information size, where the request header includes information such as an identifier.
S130: judging whether the server is attacked by the APT according to the APT attack flow information, if so, entering S140;
s140: and sending APT attack prompt information.
Specifically, after the APT attack traffic information is identified, whether a server corresponding to the server IP is attacked by the APT is further judged by analyzing the APT attack traffic information, and when it is determined that the server is attacked by the APT, an APT attack prompt message is sent out, and specifically, a pre-stored push address corresponding to the server IP can be obtained, and when it is determined that the server is attacked by the APT, the APT attack prompt message is sent to the push address corresponding to the server, so that operation and maintenance personnel of the server can take defense measures in time after receiving the prompt message. The push address may be a mailbox address or other communication address, and the specific embodiment of the present invention is not particularly limited.
Further, the process of acquiring the traffic information corresponding to the server IP in S110 may specifically be:
acquiring the traffic information of the latest n time periods corresponding to the server IP through an APT probe;
that is, in the embodiment of the present invention, when acquiring the traffic information corresponding to the server IP, a time interval may be preset, and the ap probe is used to acquire the traffic information of the latest n time periods corresponding to the server IP, where n may be 24, and the time interval may be hours, that is, the traffic information of each hour in the latest 24 hours is acquired. Of course, in practical applications, the specific value of n and the specific value of the time interval may be determined according to practical situations, which is not limited in the embodiment of the present invention.
Then, the process of identifying the APT attack traffic information from the traffic information in S120 may specifically be:
and identifying APT attack traffic information from the traffic information of each time period.
Specifically, for the traffic information of each time period, the APT attack traffic information in the time period is identified from the traffic information of the time period, so that the APT attack traffic information corresponding to each time period can be obtained, wherein if the traffic information of a certain time period does not have the APT attack traffic information, the APT attack traffic information in the time period can be considered to be 0.
Further, the step of determining whether the server is attacked by the APT attack according to the APT attack traffic information in the step S130 may specifically be:
calculating the APT attack score of the server according to the APT attack traffic information of each time period;
and judging whether the APT attack score is larger than a preset threshold value, if so, enabling the server to be attacked by the APT, and if not, enabling the server not to be attacked by the APT.
It should be noted that, in the embodiment of the present invention, an APT attack score corresponding to the server IP may be calculated according to the APT attack traffic information of each time period, and a threshold (for example, 300) may be preset, and when the APT attack score is greater than the preset threshold, it is determined that the corresponding server is attacked by the APT, and at this time, the APT attack prompt information may be sent.
Further, the process of calculating the APT attack score of the server according to the APT attack traffic information of each time period may specifically be:
calculating the APT attack traffic size corresponding to each time period according to the APT attack traffic information of each time period;
calculating the APT attack score of the server according to the size of each APT attack flow and a preset calculation relation; wherein:
the preset calculation relationship is:
It should be noted that, in the embodiment of the present invention, for the APT attack traffic information of each time period, the corresponding magnitude of the APT attack traffic may be calculated, so as to obtain values of a plurality of APT attack traffic, then, the average value of the APT attack traffic within n time periods may be further calculated, and the APT attack score of the server may be further calculated according to the preset calculation relation, where X is an index of the APT attack score of the serveriIndicating the magnitude of APT attack traffic for the (n-i + 1) th time period, e.g. when n is 24 and the time interval is small, X1Indicating the amount of APT attack traffic within the 24 th hour of acquisition.
Therefore, in the embodiment of the invention, the traffic information corresponding to the IP of the server is obtained, the APT attack traffic information is identified from the traffic information, whether the corresponding server is attacked by the APT is further judged according to the APT attack traffic information, and the APT attack prompt information is sent out when the server is determined to be attacked by the APT; the invention can realize the detection of the server APT attack condition in the using process and prompt the APT attack in time so as to take defense measures to the server in time and improve the information security.
On the basis of the above embodiments, an embodiment of the present invention further provides an APT attack detection apparatus for a server, including:
an obtaining module 21, configured to obtain traffic information corresponding to a server IP;
an identifying module 22, configured to identify APT attack traffic information from the traffic information;
the judging module 23 is configured to judge whether the server is attacked by the APT according to the APT attack traffic information, and if so, trigger the sending module 24;
and the sending module 24 is configured to send an APT attack prompt message.
Further, the obtaining module 21 is specifically configured to obtain traffic information of the latest n time periods corresponding to the server IP through the APT probe;
then, the identifying module 22 is specifically configured to identify APT attack traffic information from the traffic information of each time period.
Further, the judging module 23 includes:
the calculating unit is used for calculating the APT attack score of the server according to the APT attack traffic information of each time period;
the judging unit is used for judging whether the APT attack score is larger than a preset threshold value or not, if so, the server is attacked by the APT, and the sending module is triggered; if not, the server is not attacked by the APT, and the method is ended.
It should be noted that the apparatus for detecting an APT attack of a server in the embodiment of the present invention has the same beneficial effects as the method for detecting an APT attack of a server provided in the embodiment of the present invention, and for specific description of the method for detecting an APT attack of a server in the embodiment of the present invention, reference is made to the embodiment described above, and details of the present invention are not repeated herein.
On the basis of the above embodiments, an embodiment of the present invention further provides an APT attack detection system for a server, where the system includes:
a memory for storing a computer program;
and the processor is used for realizing the steps of the APT attack detection method of the server when executing the computer program.
For example, the processor in the embodiment of the present invention is specifically configured to obtain traffic information corresponding to a server IP; identifying APT attack traffic information from the traffic information; and judging whether the server is attacked by the APT according to the APT attack flow information, and if so, sending APT attack prompt information.
On the basis of the foregoing embodiments, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the APT attack detection method for a server as described above are implemented.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. An APT attack detection method for a server is characterized by comprising the following steps:
acquiring flow information corresponding to the server IP;
identifying APT attack traffic information from the traffic information;
and judging whether the server is attacked by the APT according to the APT attack flow information, and if so, sending APT attack prompt information.
2. The APT attack detection method of the server according to claim 1, wherein the process of acquiring the traffic information corresponding to the server IP is:
acquiring the traffic information of the latest n time periods corresponding to the server IP through an APT probe;
then, the process of identifying the APT attack traffic information from the traffic information is as follows:
and identifying APT attack traffic information from the traffic information of each time period.
3. The APT attack detection method of the server according to claim 2, wherein the process of determining whether the server is attacked by the APT attack traffic information is as follows:
calculating the APT attack score of the server according to the APT attack traffic information of each time period;
and judging whether the APT attack score is larger than a preset threshold value, if so, enabling the server to be attacked by the APT, and if not, enabling the server not to be attacked by the APT.
4. The APT attack detection method of the server according to claim 3, wherein the process of calculating the APT attack score of the server according to the APT attack traffic information of each of the time periods is:
calculating the APT attack traffic size corresponding to each time period according to the APT attack traffic information of each time period;
calculating the APT attack score of the server according to the APT attack traffic and a preset calculation relation; wherein:
the preset calculation relation is as follows:
5. The method for detecting the APT attack of the server according to any one of claims 1 to 4, wherein the process of sending out the APT attack prompting message is as follows:
acquiring a pre-stored push address corresponding to the server IP;
and sending APT attack prompt information to the push address.
6. An apparatus for detecting an APT attack of a server, comprising:
the acquisition module is used for acquiring the flow information corresponding to the server IP;
the identification module is used for identifying APT attack traffic information from the traffic information;
the judging module is used for judging whether the server is attacked by the APT according to the APT attack flow information, and if so, the sending module is triggered;
and the sending module is used for sending APT attack prompt information.
7. The apparatus according to claim 6, wherein the acquiring module is specifically configured to acquire traffic information of the latest n time periods corresponding to the server IP through an APT probe;
the identifying module is specifically configured to identify APT attack traffic information from the traffic information of each time period.
8. The apparatus for detecting APT attack of server according to claim 6, wherein the determining module comprises:
the calculating unit is used for calculating the APT attack score of the server according to the APT attack traffic information of each time period;
the judging unit is used for judging whether the APT attack score is larger than a preset threshold value or not, if so, the server is attacked by the APT, and the sending module is triggered; and if not, the server is not attacked by the APT, and the process is finished.
9. An APT attack detection system for a server, comprising:
a memory for storing a computer program;
processor for implementing the steps of the APT attack detection method of the server according to any one of claims 1 to 5 when executing said computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the APT attack detection method of the server according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111525523.4A CN114363010A (en) | 2021-12-14 | 2021-12-14 | APT attack detection method, device and system of server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111525523.4A CN114363010A (en) | 2021-12-14 | 2021-12-14 | APT attack detection method, device and system of server and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114363010A true CN114363010A (en) | 2022-04-15 |
Family
ID=81098963
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111525523.4A Withdrawn CN114363010A (en) | 2021-12-14 | 2021-12-14 | APT attack detection method, device and system of server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363010A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319082A (en) * | 2023-11-24 | 2023-12-29 | 厦门星汉数智科技有限公司 | APT attack detection method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383694A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | Defense method and system rejecting service attack based on data mining technology |
| CN109889531A (en) * | 2019-03-07 | 2019-06-14 | 北京华安普特网络科技有限公司 | A kind of DDos attack detection method of Web server |
| CN111277598A (en) * | 2020-01-21 | 2020-06-12 | 北京天琴合创技术有限公司 | Traffic-based application attack identification method and system |
| CN112953933A (en) * | 2021-02-09 | 2021-06-11 | 恒安嘉新(北京)科技股份公司 | Abnormal attack behavior detection method, device, equipment and storage medium |
-
2021
- 2021-12-14 CN CN202111525523.4A patent/CN114363010A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101383694A (en) * | 2007-09-03 | 2009-03-11 | 电子科技大学 | Defense method and system rejecting service attack based on data mining technology |
| CN109889531A (en) * | 2019-03-07 | 2019-06-14 | 北京华安普特网络科技有限公司 | A kind of DDos attack detection method of Web server |
| CN111277598A (en) * | 2020-01-21 | 2020-06-12 | 北京天琴合创技术有限公司 | Traffic-based application attack identification method and system |
| CN112953933A (en) * | 2021-02-09 | 2021-06-11 | 恒安嘉新(北京)科技股份公司 | Abnormal attack behavior detection method, device, equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117319082A (en) * | 2023-11-24 | 2023-12-29 | 厦门星汉数智科技有限公司 | APT attack detection method and system |
| CN117319082B (en) * | 2023-11-24 | 2024-03-08 | 厦门星汉数智科技有限公司 | APT attack detection method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112822143B (en) | Method, system and equipment for evaluating IP address | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| CN110730195B (en) | Data processing method and device and computer readable storage medium | |
| CN110798488B (en) | Web application attack detection method | |
| CN112953917B (en) | Network attack source identification method and device, computer equipment and storage medium | |
| CN108449349B (en) | Method and device for preventing malicious domain name attack | |
| CN110297846B (en) | Log feature processing system, method, electronic equipment and storage medium | |
| CN105208009B (en) | Account security detection method and device | |
| CN114363010A (en) | APT attack detection method, device and system of server and storage medium | |
| CN115190108B (en) | Method, device, medium and electronic equipment for detecting monitored equipment | |
| CN108282446A (en) | Identify the method and apparatus of scanner | |
| CN109005181B (en) | Detection method, system and related components for DNS amplification attack | |
| CN111740999B (en) | DDOS attack identification method, system and related device | |
| CN111143844B (en) | Safety detection method and system for Internet of things equipment and related device | |
| CN112333168B (en) | Attack identification method, device, equipment and computer readable storage medium | |
| CN113691540A (en) | Abnormal domain name detection method, system and related components | |
| CN112511535A (en) | Equipment detection method, device, equipment and storage medium | |
| CN111625700A (en) | Anti-grabbing method, device, equipment and computer storage medium | |
| CN114172707B (en) | Fast-Flux botnet detection method, device, equipment and storage medium | |
| CN114154087A (en) | Time blind comment detection method, device, equipment and readable storage medium | |
| CN109598525B (en) | Data processing method and device | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN110659247A (en) | Method, device, equipment and medium for detecting continuity of call ticket file | |
| CN110098983B (en) | Abnormal flow detection method and device | |
| CN114218577A (en) | API risk determination method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220415 |
|
| WW01 | Invention patent application withdrawn after publication |