CN115065558A - Attack flow tracing method and device for APT attack - Google Patents
Attack flow tracing method and device for APT attack Download PDFInfo
- Publication number
- CN115065558A CN115065558A CN202210959012.1A CN202210959012A CN115065558A CN 115065558 A CN115065558 A CN 115065558A CN 202210959012 A CN202210959012 A CN 202210959012A CN 115065558 A CN115065558 A CN 115065558A
- Authority
- CN
- China
- Prior art keywords
- identification information
- unique identification
- attack
- parent
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The embodiment of the invention discloses an attack flow tracing method and device for APT attack, wherein the method comprises the following steps: acquiring unique identification information of an abnormal process and unique identification information of a parent process, wherein the unique identification information of the process is obtained by calculation according to attribute information of the process, and the attribute information comprises: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack; searching child processes step by step downwards based on the unique identification information of the abnormal process, and searching parent processes step by step upwards based on the unique identification information of the parent process of the abnormal process; and generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process. The invention realizes the beneficial effect of accurately and efficiently tracing the attack flow of the APT attack.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an attack flow tracing method and device for APT attack.
Background
In recent years, network security events are frequent, and the current security events are summarized and have the following three characteristics: facing to terminal, concealment and vulnerability utilization. After a security incident occurs, in order to track and trace an attack behavior and replay an attack process, a security evidence obtaining technology is needed to obtain evidence of terminal running states before, during and after the attack, and the difficulty in the security evidence obtaining process is to ensure the relevance, authenticity and integrity of evidence obtaining data.
An APT (Advanced Persistent Threat) attack is a network attack that is organized, target-specific, and long-lasting. Due to the characteristic of long duration of APT attack, the time span of each attack step of the APT attack is large, and even if a plurality of attack steps are identified, the whole attack flow of the APT attack is difficult to restore in the prior art.
Therefore, how to trace the source of the attack flow of the APT attack is a problem which needs to be solved urgently in the prior art.
Disclosure of Invention
In order to solve at least one technical problem in the background art, the invention provides an attack flow tracing method and device for an APT attack.
In order to achieve the above object, according to an aspect of the present invention, there is provided an attack flow tracing method for an APT attack, the method including:
acquiring unique identification information of an abnormal process and unique identification information of a parent process, wherein the unique identification information of the process is obtained by calculation according to attribute information of the process, and the attribute information comprises: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack;
searching child processes step by step downwards based on the unique identification information of the abnormal process, and searching parent processes step by step upwards based on the unique identification information of the parent process of the abnormal process;
and generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process.
Optionally, the method for tracing the attack flow of the APT attack further includes:
searching the abnormal process and the behavior event corresponding to each searched process;
the generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process specifically includes:
and generating an attack flow network diagram of the APT attack according to the abnormal process, each searched process and each searched behavior event.
Optionally, the searching for the abnormal process and the behavior event corresponding to each searched process specifically includes:
and searching the behavior event corresponding to the process according to the unique identification information of the process and the unique identification information of the parent process, wherein the unique identification information of the process corresponding to the behavior event and the unique identification information of the parent process are recorded in a log of the behavior event.
Optionally, the attribute information further includes: session ID, Token, file name, file fingerprint, command line, file path, and computer attribute data.
In order to achieve the above object, according to another aspect of the present invention, there is provided an attack flow tracing apparatus for an APT attack, the apparatus including:
the identification information acquisition unit is used for acquiring unique identification information of an abnormal process and unique identification information of a parent process, wherein the unique identification information of the process is obtained by calculation according to attribute information of the process, and the attribute information comprises: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack;
the process searching unit is used for searching the child process step by step downwards based on the unique identification information of the abnormal process and searching the parent process step by step upwards based on the unique identification information of the parent process of the abnormal process;
and the attack flow tracing unit is used for generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process.
Optionally, the apparatus for tracing the attack flow of the APT attack further includes:
a behavior event searching unit, configured to search the abnormal process and the behavior event corresponding to each searched process;
and the attack flow tracing unit specifically generates an attack flow network diagram of the APT attack according to the abnormal process, each searched process and each searched behavior event.
Optionally, the behavior event searching unit is specifically configured to search a behavior event corresponding to the process according to the unique identification information of the process and the unique identification information of the parent process, where the unique identification information of the process and the unique identification information of the parent process corresponding to the behavior event are recorded in a log of the behavior event.
In order to achieve the above object, according to another aspect of the present invention, there is also provided a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the attack flow tracing method for APT attacks when executing the computer program.
To achieve the above object, according to another aspect of the present invention, there is also provided a computer readable storage medium having stored thereon a computer program/instructions, which when executed by a processor, implement the steps of the above attack flow tracing method for APT attack.
To achieve the above object, according to another aspect of the present invention, there is also provided a computer program product, which includes a computer program/instruction, and when the computer program/instruction is executed by a processor, the computer program/instruction implements the steps of the attack flow tracing method for APT attack described above.
The invention has the beneficial effects that:
the invention calculates the unique identification information of the process according to the attribute information of the process, wherein the attribute information comprises the following components: compared with the process ID adopted by the existing scheme, the unique identification information of the invention has uniqueness, so that the scheme for tracing the attack flow of the APT attack based on the unique identification information is more accurate. In addition, the unique identification information of the process is calculated according to the process creation time, and compared with the existing scheme, the method and the device do not need to set a time period, effectively ensure the integrity of the process chain, are beneficial to capturing the long-term latent APT attack, and enable the attack flow of the APT attack to be more complete.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts. In the drawings:
FIG. 1 is a first flowchart of an attack flow tracing method of an APT attack according to an embodiment of the present invention;
FIG. 2 is a second flowchart of an attack flow tracing method of the APT attack according to the embodiment of the present invention;
FIG. 3 is a first diagram of a process network diagram according to an embodiment of the invention;
FIG. 4 is a second diagram of a process network diagram according to an embodiment of the invention;
fig. 5 is a first structural block diagram of an attack flow tracing apparatus of APT attack according to an embodiment of the present invention;
fig. 6 is a second structural block diagram of an attack flow tracing apparatus of the APT attack according to the embodiment of the present invention;
FIG. 7 is a schematic diagram of a computer apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It should be noted that the terms "comprises" and "comprising," and any variations thereof, in the description and claims of the present invention and the above-described drawings, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
It should be noted that, in the technical solution of the present application, the acquisition, storage, use, processing, etc. of data all conform to the relevant regulations of the national laws and regulations.
Fig. 1 is a first flowchart of an attack flow tracing method of an APT attack according to an embodiment of the present invention, and as shown in fig. 1, in an embodiment of the present invention, the attack flow tracing method of an APT attack according to the present invention includes steps S101 to S103.
Step S101, unique identification information of an abnormal process and unique identification information of a parent process are obtained, wherein the unique identification information of the process is obtained by calculation according to attribute information of the process, and the attribute information comprises the following steps: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack.
The invention is realized by adopting an algorithm for process description, unique identification information of the process is generated by calculating the attribute information of the process, the unique identification information carries out omnibearing description on the attributes of the process such as the process creation time and the like, and the description of each process is ensured to be absolutely unique in the whole situation when each process is started.
The parent process unique identification information of a process is the same as the parent process unique identification information of the process. Specifically, when a new process is created, the unique identification information of the new process is calculated according to the attribute information of the new process, and meanwhile, the parent process of the new process is determined, and further, the unique identification information of the parent process is determined as the unique identification information of the parent process of the new process.
It should be noted that, in the following embodiments of the present invention, PGUID is used to refer to unique identification information for short, and PPGUID is used to refer to parent process unique identification information for short.
Fig. 3 illustrates the relationship between the PGUID and PPGUID of each process, and the relationship between the PGUID and PPGUID of each process in fig. 3 can be concluded as follows:
PGUID(A)=PPGUID(B)=PPGUID(D)
PGUID(B)=PPUGID(C)
PGUID(D)=PPUGID(E)
PPGUID(C) =PPUGID(E)
the above relationship illustrates that process A is the parent of process B and process D, and that process B and process D are sibling processes.
While the parent process of process C is process B, so the C process is a child process of the B process. Similarly, the E process is a child of the D process.
And because the parent process PPGUIDs of the process C and the process E are different, the process C and the process E are not sibling processes.
In an embodiment of the present invention, the attribute information further includes: session ID, Token, file name, file fingerprint, command line, file path, and computer attribute data.
Session ID: the Session ID is used to track each user's Session. And the Session ID generated by the server is used for identification so as to distinguish the users.
Token: it is a series of encrypted strings generated by the server to serve as a "token" for the client to request. After the user successfully logs in by using the account password for the first time, the server generates a Token and Token expiration time and returns the Token and Token expiration time to the client, and if the user successfully logs in, the client only needs to request data before taking the Token in the effective time later, and the user name and the password do not need to be taken again.
File fingerprint: i.e. a file check code, for checking the file, e.g. using SHA 256.
And S102, searching the child process step by step downwards based on the unique identification information of the abnormal process, and searching the parent process step by step upwards based on the unique identification information of the parent process of the abnormal process.
Because the unique identification information of the parent process of one process is the same as the unique identification information of the parent process of the process, according to the relationship, the invention can search the child process step by step according to the PGUID of the abnormal process, for example, if the process A in FIG. 3 is the abnormal process, the PPGUID of the process B is the same as the PGUID of the process A, then the process B is the child process of the process A, and if the PPGUID of the process C is the same as the PGUID of the process B, then the process C is the child process of the process B.
Similarly, according to the relationship, the present invention can search up the parent process step by step according to the PPGUID of the abnormal process, for example, if the process E in fig. 3 is the abnormal process, and the PGUID of the process D is the same as the PPGUID of the process E, then the process D is the parent process of the process E, and when the previous search is performed, it is found that the PGUID of the process a is the same as the PPGUID of the process D, then the process a is the parent process of the process D.
And step S103, generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process.
In an embodiment of the present invention, the present invention constructs an attack flow network graph, where the attack flow network graph is a network graph, the present invention uses the abnormal process and each searched process as a node in the network graph, and constructs an edge of each node in the network graph according to a parent-child relationship between the processes to obtain the attack flow network graph, and an embodiment of the present invention may be as shown in fig. 3.
The embodiment can see that the unique identification information of the process is calculated according to the attribute information of the process, and compared with the process ID adopted by the existing scheme, the unique identification information of the invention has uniqueness, so that the attack flow network diagram generated based on the unique identification information of the invention is more accurate. In addition, the unique identification information of the process is calculated according to the process creation time, and compared with the existing scheme, the method and the device do not need to set a time period, effectively ensure the integrity of the process chain and are beneficial to capturing the long-term latent APT attack.
In one embodiment of the invention, the exception process of the invention may be identified by the EDR. Specifically, the EDR system identifies an attack according to a preset model based on mass system data, determines an attack-related process when the attack is identified, and determines the attack-related process as an abnormal process. Then, the process network diagram is generated based on the process related to the attack by the method, and the generated process network diagram can completely describe the whole process of the attack and is beneficial to analyzing the attack. In addition, the EDR system of the invention can only identify single network attack, the method of the invention continuously searches the associated process and the behavior event according to the network attack related process of the single network attack, the process chain is very complete and huge, long-term network attack which is not identified before can be found, and the invention is beneficial to capturing the long-term latent APT attack.
The EDR is called an Endpoint detection And Response, And the terminal threat detection And Response are carried out. The method is a solution for recording and storing the system level behaviors of the end point, and detects the network attack behaviors through various data analysis technologies and provides the correlation information, thereby blocking the network attack behaviors and providing repair suggestions for the affected systems.
The EDR performs static and dynamic data acquisition at a terminal, and the static data acquisition part acquires the current running state of an operating system, such as asset information, services, ports, processes, threads, bugs and the like. The dynamic information includes various actions occurring on the operating system, such as account change records, network access actions, network request actions, file operations, process activities, and the like. Data collection is the premise and basis for threat prediction and security analysis by EDRs.
When aggregation analysis is performed on data collected based on an EDR product, the behavior activity of the terminal needs to be restored, and the behavior activity on the terminal is the behavior activity of a process. A process may create multiple new processes during execution. The creating process is referred to as the parent process and the new process is referred to as the child process. Each new process can recreate other processes, forming a process network diagram.
In the prior art, a host and a time period need to be selected first in the process of restoring (generating) a process network diagram, and processes need to be screened. And then, for the screened processes, combing the relationship among the processes according to the process ID and the parent process ID of the processes to form a process network graph. The process ID is an integer automatically assigned by the system to uniquely identify the process when the process is generated, generally starting from 0, then sequentially assigning until a maximum value is reached (system-specific), and then re-assigning from 300, and when the process ID is assigned, if the assigned ID is encountered, directly skipping and continuing to incrementally find the next assignable ID. However, when the system is restarted, the process ID is newly assigned from 0, which causes a problem that the process ID is repeatedly generated. Repeated process ID occurrences result in repeated processes, which can result in inaccurate generated process network maps.
Fig. 2 is a second flowchart of an attack flow tracing method of an APT attack according to an embodiment of the present invention, and as shown in fig. 2, in another embodiment of the present invention, the attack flow tracing method of an APT attack according to the present invention includes steps S201 to S204.
Step S201, obtaining unique identification information of an abnormal process and unique identification information of a parent process, where the unique identification information of a process is obtained by calculation according to attribute information of the process, and the attribute information includes: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack.
Step S202, searching the child process step by step downwards based on the unique identification information of the abnormal process, and searching the parent process step by step upwards based on the unique identification information of the parent process of the abnormal process.
Step S203, searching for the abnormal process and the behavior event corresponding to each found process.
In an embodiment of the present invention, the behavior event may specifically include: process behavior, module behavior, file behavior, registry behavior, network behavior, pipe behavior, account behavior, authority behavior, service behavior, and plan task behavior.
In the invention, the behavior event is initiated by the process, and when a new behavior event is generated, the PGUID and the PPGUID of the process initiating the behavior event are written in the log of the behavior event, so that the searching of the relationship between the subsequent process and the behavior event is facilitated.
Fig. 4 depicts the relationship of the process to the behavioral event, and the following conclusions can be drawn from fig. 4:
PGUID(A)=PPGUID(B)
PGUID(C)=PGUID(Z)
PGUID(B)=PPGUID(C) =PGUID(X)= PGUID(Y)=PPGUID(Z)
PGUID(A)=PPGUID(X)= PPGUID(Y)
the above relationship indicates that process a is the parent of process B, which is the parent of process C.
And the two behavior events of the module behavior X and the network behavior Y are the behavior events of the process B. The file behavior Z is a behavior event of the process C.
In the logs of different event types, according to the PGUID and the PPGUID, whether tracing the source by taking the process as a starting point or tracing the source of the threat by taking a certain behavioral activity as a starting point, the corresponding process relation network graph can be screened out.
And step S204, generating an attack flow network diagram of the APT attack according to the abnormal process, each searched process and each searched behavior event.
In an embodiment of the present invention, the present invention constructs a network graph, uses the abnormal process, the searched processes, and the searched behavior events as nodes in the network graph, and constructs edges of the nodes in the network graph according to parent-child relationships between the processes and correspondence between the behavior events and the processes to obtain an attack flow network graph, which may be shown in fig. 4.
In an embodiment of the present invention, the searching for the abnormal process and the behavior event corresponding to each found process in step S203 specifically includes:
and searching the behavior event corresponding to the process according to the unique identification information of the process and the unique identification information of the parent process, wherein the unique identification information of the process corresponding to the behavior event and the unique identification information of the parent process are recorded in a log of the behavior event.
In an embodiment of the present invention, the abnormal process in the above embodiment of the present invention is a network attack related process, and the process network diagram is used to describe the whole process of the network attack.
As can be seen from the above embodiments, the attack flow tracing method for APT attack of the present invention at least achieves the following beneficial effects:
1. the method mainly aims at effectively optimizing the problem that in the threat tracing process, the confidence coefficient is extremely low when a parent process is searched to restore the process behavior and the activity by simply depending on the parent process ID corresponding to the process ID, so that the relationship confidence coefficient of the process network diagram is greatly improved;
2. the method aims at solving the scene of capturing the long-term latent APT threat, ensures the integrity of a process chain, and provides an accurate and effective analysis basis for threat traceability;
3. the PGUID is searched by the global unique identifier, so that the data dimension of searching correlation can be reduced, a time range does not need to be determined, a plurality of repeated options cannot be judged, and a parent process can be found quickly and accurately;
4. because the process creation time is calculated when the global unique identifier PGUID is calculated, the time interval does not need to be limited when the global log association analysis search is carried out, and the deep excavation and attack backtracking can be effectively carried out aiming at the APT attack which is latent for a long time.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
Based on the same inventive concept, the embodiment of the present invention further provides an attack flow tracing apparatus for an APT attack, which can be used to implement the attack flow tracing method for the APT attack described in the above embodiments, as described in the following embodiments. Because the principle of solving the problem of the attack flow tracing device of the APT attack is similar to that of the attack flow tracing method of the APT attack, the embodiment of the attack flow tracing device of the APT attack can refer to the embodiment of the attack flow tracing method of the APT attack, and repeated parts are not described again. As used hereinafter, the term "unit" or "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a first structural block diagram of an attack flow tracing apparatus of an APT attack according to an embodiment of the present invention, and as shown in fig. 5, in an embodiment of the present invention, the attack flow tracing apparatus of an APT attack according to the present invention includes:
an identification information obtaining unit 1, configured to obtain unique identification information of an abnormal process and unique identification information of a parent process, where the unique identification information of a process is obtained by calculation according to attribute information of the process, and the attribute information includes: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack;
the process searching unit 2 is used for gradually searching the child process downwards based on the unique identification information of the abnormal process and gradually searching the parent process upwards based on the unique identification information of the parent process of the abnormal process;
and the attack flow tracing unit 3 is used for generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process.
Fig. 6 is a second structural block diagram of the attack flow tracing apparatus of the APT attack according to the embodiment of the present invention, and as shown in fig. 6, in an embodiment of the present invention, the attack flow tracing apparatus of the APT attack according to the present invention further includes:
and the behavior event searching unit 4 is configured to search the abnormal process and the searched behavior event corresponding to each process.
In an embodiment of the present invention, the attack flow tracing unit 3 specifically generates an attack flow network diagram of the APT attack according to the abnormal process, the searched processes, and the searched behavior events.
In an embodiment of the present invention, the behavior event searching unit 4 is specifically configured to search a behavior event corresponding to a process according to unique identification information of the process and unique identification information of a parent process, where unique identification information of the process corresponding to the behavior event and unique identification information of the parent process are recorded in a log of the behavior event.
To achieve the above object, according to another aspect of the present application, there is also provided a computer apparatus. As shown in fig. 7, the computer device comprises a memory, a processor, a communication interface and a communication bus, wherein a computer program that can be run on the processor is stored in the memory, and the steps of the method of the above embodiment are realized when the processor executes the computer program.
The processor may be a Central Processing Unit (CPU). The Processor may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or a combination thereof.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and units, such as the corresponding program units in the above-described method embodiments of the present invention. The processor executes various functional applications of the processor and the processing of the work data by executing the non-transitory software programs, instructions and modules stored in the memory, that is, the method in the above method embodiment is realized.
The memory may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor, and the like. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and such remote memory may be coupled to the processor via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more units are stored in the memory and, when executed by the processor, perform the method of the above embodiment.
The specific details of the computer device may be understood by referring to the corresponding related descriptions and effects in the above embodiments, and are not described herein again.
In order to achieve the above object, according to another aspect of the present application, there is also provided a computer-readable storage medium storing a computer program, which when executed in a computer processor implements the steps in the above-mentioned attack flow tracing method for APT attacks. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk Drive (Hard Disk Drive, abbreviated as HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
To achieve the above object, according to another aspect of the present application, there is also provided a computer program product including a computer program/instructions, which when executed by a processor, implement the steps of the attack flow tracing method for APT attack described above.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, or fabricated separately as individual integrated circuit modules, or fabricated as a single integrated circuit module from multiple modules or steps. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (11)
1. An attack flow tracing method of APT attack is characterized by comprising the following steps:
acquiring unique identification information of an abnormal process and unique identification information of a parent process, wherein the unique identification information of the process is obtained by calculation according to attribute information of the process, and the attribute information comprises: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack;
searching child processes step by step downwards based on the unique identification information of the abnormal process, and searching parent processes step by step upwards based on the unique identification information of the parent process of the abnormal process;
and generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process.
2. The method of claim 1, further comprising:
searching the abnormal process and the behavior event corresponding to each searched process;
the generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process specifically includes:
and generating an attack flow network diagram of the APT attack according to the abnormal process, each searched process and each searched behavior event.
3. The attack flow tracing method for the APT attack according to claim 2, wherein the searching the abnormal process and the behavior event corresponding to each searched process specifically includes:
and searching the behavior event corresponding to the process according to the unique identification information of the process and the unique identification information of the parent process, wherein the unique identification information of the process corresponding to the behavior event and the unique identification information of the parent process are recorded in a log of the behavior event.
4. The method according to claim 1, wherein the attribute information further includes: session ID, Token, file name, file fingerprint, command line, file path, and computer attribute data.
5. An attack flow tracing device of APT attack is characterized by comprising:
the identification information acquisition unit is used for acquiring unique identification information of an abnormal process and unique identification information of a parent process, wherein the unique identification information of the process is obtained by calculation according to attribute information of the process, and the attribute information comprises: the process creation time, the unique identification information of the parent process of the process is the same as the unique identification information of the parent process of the process, and the abnormal process comprises the following steps: attack process of APT attack;
the process searching unit is used for searching the child process step by step downwards based on the unique identification information of the abnormal process and searching the parent process step by step upwards based on the unique identification information of the parent process of the abnormal process;
and the attack flow tracing unit is used for generating an attack flow network diagram of the APT attack according to the abnormal process and each searched process.
6. The apparatus of claim 5, further comprising:
a behavior event searching unit, configured to search the abnormal process and the behavior event corresponding to each searched process;
and the attack flow tracing unit specifically generates an attack flow network diagram of the APT attack according to the abnormal process, each searched process and each searched behavior event.
7. The apparatus of claim 6, wherein the behavior event search unit is specifically configured to search for a behavior event corresponding to the process according to the unique identification information of the process and the unique identification information of the parent process, where a log of the behavior event records the unique identification information of the process corresponding to the behavior event and the unique identification information of the parent process.
8. The apparatus according to claim 5, wherein the attribute information further includes: session ID, Token, file name, file fingerprint, command line, file path, and computer attribute data.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 4 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program/instructions are stored, characterized in that the computer program/instructions, when executed by a processor, implement the steps of the method of any one of claims 1 to 4.
11. A computer program product comprising computer program/instructions, characterized in that the computer program/instructions, when executed by a processor, implement the steps of the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210959012.1A CN115065558A (en) | 2022-08-11 | 2022-08-11 | Attack flow tracing method and device for APT attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210959012.1A CN115065558A (en) | 2022-08-11 | 2022-08-11 | Attack flow tracing method and device for APT attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115065558A true CN115065558A (en) | 2022-09-16 |
Family
ID=83207339
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210959012.1A Pending CN115065558A (en) | 2022-08-11 | 2022-08-11 | Attack flow tracing method and device for APT attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115065558A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
| US20180336256A1 (en) * | 2017-05-18 | 2018-11-22 | Nec Laboratories America, Inc. | Template based data reduction for security related information flow data |
| US20190081873A1 (en) * | 2017-09-12 | 2019-03-14 | Sophos Limited | Dashboard for managing enterprise network traffic |
| CN111181918A (en) * | 2019-11-29 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | TTP-based high-risk asset discovery and network attack tracing method |
| CN112084091A (en) * | 2020-09-09 | 2020-12-15 | 北京升鑫网络科技有限公司 | System behavior auditing method, device, terminal and storage medium |
-
2022
- 2022-08-11 CN CN202210959012.1A patent/CN115065558A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932329A (en) * | 2012-09-26 | 2013-02-13 | 北京奇虎科技有限公司 | Method and device for intercepting behaviors of program, and client equipment |
| US20180336256A1 (en) * | 2017-05-18 | 2018-11-22 | Nec Laboratories America, Inc. | Template based data reduction for security related information flow data |
| US20190081873A1 (en) * | 2017-09-12 | 2019-03-14 | Sophos Limited | Dashboard for managing enterprise network traffic |
| CN111181918A (en) * | 2019-11-29 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | TTP-based high-risk asset discovery and network attack tracing method |
| CN112084091A (en) * | 2020-09-09 | 2020-12-15 | 北京升鑫网络科技有限公司 | System behavior auditing method, device, terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10649838B2 (en) | Automatic correlation of dynamic system events within computing devices | |
| US11710131B2 (en) | Method and apparatus of identifying a transaction risk | |
| CN107241296B (en) | Webshell detection method and device | |
| CN113676484B (en) | Attack tracing method and device and electronic equipment | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| US11431792B2 (en) | Determining contextual information for alerts | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| CN112347501A (en) | Data processing method, device, equipment and storage medium | |
| CN113572719B (en) | Domain name detection method, device, equipment and readable storage medium | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN108073703A (en) | A kind of comment information acquisition methods, device, equipment and storage medium | |
| CN113987492A (en) | Method and device for determining alarm event | |
| CN117376092A (en) | Fault root cause positioning method, device, equipment and storage medium | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| CN111435327B (en) | Log record processing method, device and system | |
| CN111886594B (en) | Malicious process tracking | |
| CN115065558A (en) | Attack flow tracing method and device for APT attack | |
| Kapusta et al. | User session identification using reference length | |
| CN114297630A (en) | Malicious data detection method and device, storage medium and processor | |
| CN112434894A (en) | Real-time risk control method, computer equipment and readable storage medium | |
| CN116340536A (en) | Operation and maintenance knowledge graph construction method, device, equipment, medium and program product | |
| CN116488899A (en) | Attack path positioning method and device, electronic equipment and storage medium | |
| Ohrui et al. | Mining botnet coordinated attacks using apriori-prefixspan hybrid algorithm | |
| CN114173138A (en) | Method, device, medium and equipment for processing abnormal video up master | |
| CN116846638A (en) | Unauthorized behavior detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220916 |
|
| RJ01 | Rejection of invention patent application after publication |