CN115987686A - Threat detection method based on https agent - Google Patents

Threat detection method based on https agent Download PDF

Info

Publication number
CN115987686A
CN115987686A CN202310258996.5A CN202310258996A CN115987686A CN 115987686 A CN115987686 A CN 115987686A CN 202310258996 A CN202310258996 A CN 202310258996A CN 115987686 A CN115987686 A CN 115987686A
Authority
CN
China
Prior art keywords
attack
https
terminal
certificate
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310258996.5A
Other languages
Chinese (zh)
Other versions
CN115987686B (en
Inventor
刘天亮
刘诗剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qitian Anxin Technology Co ltd
Original Assignee
Beijing Qitian Anxin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qitian Anxin Technology Co ltd filed Critical Beijing Qitian Anxin Technology Co ltd
Priority to CN202310258996.5A priority Critical patent/CN115987686B/en
Publication of CN115987686A publication Critical patent/CN115987686A/en
Application granted granted Critical
Publication of CN115987686B publication Critical patent/CN115987686B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention provides a threat detection method based on an https agent, which comprises the following steps: step 1: constructing an adaptive https certificate adaptation mechanism; step 2: in the https interaction process, carrying out hidden monitoring on the attack behavior of an attacker based on a self-adaptive https certificate adaptation mechanism to obtain the attack behavior of the attacker; and step 3: analyzing the attack behavior, and positioning the attacked and trapped terminal based on the bait file of the terminal; and 4, step 4: and modifying the identity information of the attacked terminal. And (3) deploying a bait file by matching with a terminal side, decrypting https encrypted flow at a gateway side, acquiring user related information, analyzing and positioning an attacked and trapped intranet host, and quickly detecting an attack threat event.

Description

Threat detection method based on https agent
Technical Field
The invention relates to the technical field of network traffic analysis, in particular to a threat detection method based on https agents.
Background
In a typical attack and defense scenario, an attacker, after successfully penetrating the intranet host, may attempt to collect as much information as possible (e.g., sensitive files such as credit card numbers, social account number details, and passwords stored in unprotected text files). For the attack behavior of an attacker, a file decoy is deployed on an endpoint, and detection of a threat attack is an effective means. The bait file usually comprises information such as a domain name, a user name and a password, and as 70% of websites adopt https encrypted communication, in order to provide authenticity of the file bait, the domain name in the file bait usually adopts an https mode. Attackers typically use this information to log into the system to further penetrate the breach.
The problem that the conventional intranet gateway cannot decrypt encrypted flow and obtain communication plaintext data by adopting an https encryption communication mode is solved, so that an attack threat event cannot be effectively detected at the gateway.
Therefore, the invention provides a threat detection method based on https agents.
Disclosure of Invention
The invention provides a threat detection method based on an https agent, which is used for matching with bait files deployed on a terminal side, acquiring user related information by decrypting https encrypted flow on a gateway side, analyzing and positioning an attacked intranet host, and rapidly detecting attack threat events.
The invention provides a threat detection method based on an https agent, which comprises the following steps:
step 1: constructing an adaptive https certificate adaptation mechanism;
step 2: in the https interaction process, based on the adaptive https certificate adaptation mechanism, carrying out hidden monitoring on the attack behavior of an attacker, and acquiring the attack behavior of the attacker;
and step 3: analyzing the attack behavior, and positioning the attacked and trapped terminal based on the bait file of the terminal;
and 4, step 4: and modifying the identity information of the attacked terminal.
Preferably, constructing an adaptive https certificate adaptation mechanism includes:
deploying matched website domain name signing certificates to different gateways;
and adding the gateway self-signed certificate to a trusted certificate authority in the terminal, and constructing a self-adaptive https certificate adaptation mechanism.
Preferably, the process of performing covert monitoring on the attack behavior of an attacker based on the adaptive https certificate adaptation mechanism includes:
when an attacker accesses the https domain name in the file bait, the browser does not have any prompting warning information;
when the gateway interacts with a terminal, an https certificate is provided in a self-adaptive manner according to an access domain name, https encrypted traffic is decrypted through an https agent module, and detection and alarm are performed on attack threats;
and (5) reassembling the https data packet and sending the https data packet to a target website.
Preferably, before locating the attacked terminal based on the bait file of the terminal, the method further includes:
calling a bait generation module, and generating a bait file according to the terminal ip address, the mac address and the target website domain name set;
deploying the bait files to matched terminals, wherein each terminal has a unique bait file;
the bait file comprises a website https domain name, a generated user name NUa and a generated password NPa.
Preferably, the analyzing the attack behavior and positioning the attacked terminal based on the bait file of the terminal further includes:
searching a bait file of the terminal after detecting that the attacker permeates into the terminal, acquiring domain name login information of the bait file, and logging in an https target website;
when the https target website is detected to be logged in, acquiring a domain name of the https target website, and judging whether the https target website is a known website;
if so, returning a target website certificate of the https target website;
and if the https target website is an unknown website, generating a new certificate signature application according to the domain name of the https target website, using a key corresponding to the CA certificate to sign and return a domain name certificate, and establishing https connection with the terminal and the https target website as an intermediate client.
Preferably, the modifying the identity information of the attacked terminal includes:
decrypting https encrypted traffic of the appointed monitoring terminal to obtain https plaintext data;
detecting the https plaintext data in real time according to a configuration rule, associating an ip address and a mac address of a terminal after matching with information of a website https domain name, a user name NUa and a password NPa, and sending alarm information;
and meanwhile, modifying the information of the https domain name, the user name NUa and the password NPa of the attacked terminal into the information of the https new domain name, the user name Ua and the password Pa.
Preferably, the analyzing the attack behavior and locating the attacked terminal based on the bait file of the terminal includes:
mapping the attack behavior with a preset attack event, and determining a mapping sequence based on the mapping relationship, wherein the mapping sequence comprises the attack strength of any behavior type contained in the attack behavior at different attack time points;
based on the mapping sequence, a first attack array aiming at each attack time point is constructed, and a second attack array aiming at the same behavior type is constructed;
determining a first reference importance of the first attack array;
Figure SMS_1
;
wherein ,
Figure SMS_2
representing a total attack type contained in a first attack array corresponding to the attack time point; />
Figure SMS_3
^ th ^ in a first attack array indicating a corresponding attack time point>
Figure SMS_4
Attack strength under each attack type; />
Figure SMS_5
Representing the maximum attack strength corresponding to the corresponding attack time point; />
Figure SMS_6
Indicating fingerA sign of a function; />
Figure SMS_7
The ^ h or greater in the first attack array indicating the corresponding attack time point>
Figure SMS_8
Attack weights for each attack type;
determining a second reference importance of the second attack array;
Figure SMS_9
; wherein ,/>
Figure SMS_10
Representing attack time points contained in the corresponding second attack array; />
Figure SMS_11
Representing the attack strength aiming at the same behavior type at the j1 st attack time point in the corresponding second attack array; />
Figure SMS_12
Representing a maximum attack strength in the corresponding second attack array; />
Figure SMS_13
Representing the attack weight corresponding to the same behavior type corresponding to the second attack array;
extracting a first maximum reference degree from all the first reference importance degrees and a second maximum reference degree from all the second reference degrees;
when the first maximum reference degree is smaller than a first preset degree and the second maximum reference degree is smaller than a second preset degree, judging that no terminal with the attack and the sink exists;
otherwise, deploying an important time point corresponding to a first reference importance degree larger than the first preset degree and an important attack type corresponding to a second reference importance degree larger than the second preset degree on the bait file, and locking a terminal corresponding to the deployed bait file as an attacked terminal.
Preferably, in the process of modifying the identity information of the compromised terminal, the method further includes:
acquiring attack deployment information on a bait file corresponding to the attacked terminal, determining point distribution of important time points contained in the attack deployment information, determining an attack time range and acquiring the total attack times of each single attack type in the point distribution;
determining an important attack type based on an important time point according to the attack time range and the total attack times, and simultaneously determining the important attack type in the attack deployment information;
screening an overlapping attack type and a non-overlapping attack type from important attack types based on important time points and important attack types based on the attack deployment information, and determining a current value of each first attack type;
acquiring possible identity attack segments matched with the identity information of the user, extracting a value set matched with each possible identity attack segment from all current values, and obtaining the change probability of each possible identity attack segment;
when the change probability is larger than the preset probability, judging that the possible attack section of the corresponding identity needs to be modified;
after the possible identity attack sections needing to be modified are judged, the individual anti-attack capability of each modification attack section and the comprehensive anti-attack capability of all the modification attack sections are determined;
and when the single anti-attack capability and the comprehensive anti-attack capability both meet the attacked standard, judging that the modification is successful, and otherwise, continuously modifying.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
fig. 1 is a flowchart of a threat detection method based on https agents in an embodiment of the present invention;
FIG. 2 is a schematic diagram of a system according to an embodiment of the present invention;
fig. 3 is a schematic diagram of system connection according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, and it will be understood that they are described herein for the purpose of illustration and explanation and not limitation.
The invention provides a threat detection method based on https agents, as shown in fig. 1, comprising:
step 1: constructing an adaptive https certificate adaptation mechanism;
step 2: in the https interaction process, carrying out covert monitoring on the attack behavior of an attacker based on the adaptive https certificate adaptation mechanism, and obtaining the attack behavior of the attacker;
and step 3: analyzing the attack behavior, and positioning the attacked terminal based on the bait file of the terminal;
and 4, step 4: and modifying the identity information of the attacked terminal.
In this embodiment, constructing the adaptive https certificate adaptation mechanism is implemented in the following two ways:
1) Deploying the website domain name signing certificate at the gateway 2) adding the gateway self-signed CA certificate to the trusted certificate authority in the terminal.
Wherein, when an attacker accesses the https domain name in the file bait, the browser does not have any prompting warning information. When the gateway is used as a man-in-the-middle to interact in a terminal, the https certificate is provided in a self-adaptive mode according to the access domain name, https flow is decrypted through the https agent module, detection and alarm are carried out on threats, and finally https data packets are reassembled and sent to a target network.
In this embodiment, the adaptive https certificate adaptation mechanism is to effectively match different terminals with certificates, because different corresponding certificates of the terminals may be different, because a certificate consistent with all terminals to be monitored needs to be constructed in advance, it is convenient to perform subsequent adaptive configuration, and the adaptive https certificate adaptation mechanism is adopted to ensure that encrypted traffic of the terminals is effectively monitored.
In the embodiment, in the https interaction process, the gateway adopts a certificate adaptation mechanism to ensure that the https certificate can be signed and verified through the browser without any prompt warning information, so that the monitoring behavior cannot be perceived by an attacker, wherein the https interaction refers to the fact that the attacker logs in a system, and acquires an https encryption communication mode and a https decryption communication mode to acquire user information.
In the embodiment, the gateway is used as an intermediate link of https decryption and encryption, the gateway can acquire all plaintext data packets in an https interaction process, and attack behaviors of an attacker can be quickly forensics by recording and analyzing the plaintext data packets.
In the embodiment, the bait files generated by each terminal are different and are uniquely bound with the terminal, for example, the user name and the password in the bait files are associated with the ip address and the mac address of the terminal, so that the gateway can be uniquely associated with the intranet terminal by analyzing the information such as the user name and the password after decrypting to obtain the https flow, and the attacked terminal can be quickly positioned.
In the embodiment, the password and the password in the bait file are converted into the preset user name and the preset password through https plaintext data modification and forwarding. And an attacker can not log in a target website in other networks by using the information in the decoy file, so that the information leakage is prevented.
The beneficial effects of the above technical scheme are: the method is used for matching with the deployment of bait files on the terminal side, obtaining user related information by decrypting https encrypted flow on the gateway side, analyzing and positioning the attacked intranet host, and rapidly detecting attack threat events.
The invention provides a threat detection method based on an https agent, which constructs an adaptive https certificate adaptation mechanism and comprises the following steps:
deploying matched website domain name signing certificates to different gateways;
and adding the gateway self-signed certificate to a trusted certificate authority in the terminal, and constructing to obtain an adaptive https certificate adaptation mechanism.
The beneficial effects of the above technical scheme are: and by constructing an adaptive https certificate adaptation mechanism, the terminal encryption flow can be monitored conveniently and effectively.
The invention provides a threat detection method based on an https agent, which comprises the following steps of:
when an attacker accesses the https domain name in the file bait, the browser does not have any prompting warning information;
when the gateway interacts with a terminal, an https certificate is provided in a self-adaptive manner according to an access domain name, https encrypted traffic is decrypted through an https agent module, and detection and alarm are performed on attack threats;
and (5) reassembling the https data packet and sending the https data packet to a target website.
In this embodiment, the access to the decoy file is monitored in a covert manner, thereby determining the offensive behavior that may exist without communicating the monitored information to the attacker.
In the embodiment, the purpose of reassembling the https data packet is to effectively block existing attack behaviors due to the fact that attack threats exist.
The beneficial effects of the above technical scheme are: through hidden control, be convenient for carry out effectual detection warning to attack threat, and make things convenient for follow-up effective elimination to attack action.
The invention provides a threat detection method based on https proxy, based on a bait file of a terminal, before positioning a attacked and trapped terminal, the method further comprises the following steps:
calling a bait generation module, and generating a bait file according to the ip address of the terminal, the mac address and the domain name set of the target website;
deploying the bait files to matched terminals, wherein each terminal has a unique bait file;
the bait file comprises a website https domain name, a generated user name NUa and a generated password NPa.
The beneficial effects of the above technical scheme are: and the hiding effectiveness of monitoring is ensured by generating a bait file and deploying the bait file to the terminal.
The invention provides a threat detection method based on https agent, which analyzes the attack behavior and positions an attacked terminal based on a bait file of the terminal, and further comprises the following steps:
searching a bait file of the terminal after detecting that the attacker permeates into the terminal, acquiring domain name login information of the bait file, and logging in an https target website;
when the https target website is detected to be logged in, acquiring the domain name of the https target website, and judging whether the https target website is a known website;
if so, returning a target website certificate of the https target website;
and if the https target website is an unknown website, generating a new certificate signature application according to the domain name of the https target website, using a key corresponding to the CA certificate to sign and return a domain name certificate, and establishing https connection with the terminal and the https target website as an intermediate client.
The beneficial effects of the above technical scheme are: the connection is established, so that the subsequent decryption of the domain name traffic data packet is facilitated, and the real-time detection of the threat is facilitated.
The invention provides a threat detection method based on https agent, which modifies the identity information of the attacked terminal and comprises the following steps:
decrypting https encrypted traffic of the appointed monitoring terminal to obtain https plaintext data;
detecting the https plaintext data in real time according to a configuration rule, associating an ip address and a mac address of a terminal after matching with information of a website https domain name, a user name NUa and a password NPa, and sending alarm information;
and meanwhile, modifying the information of the https domain name, the user name NUa and the password NPa of the attacked terminal into the information of the https new domain name, the user name Ua and the password Pa.
In this embodiment, after the information is modified, the modified information is sent to the target website, and a user name and a password are preset to log in the target website.
The beneficial effects of the above technical scheme are: clear text data is obtained through decryption, alarm sending is carried out, and the possibility of being attacked is effectively avoided through modification.
The invention provides a threat detection method based on https agent, which analyzes the attack behavior and locates a trapped terminal based on a bait file of the terminal, and comprises the following steps:
mapping the attack behavior with a preset attack event, and determining a mapping sequence based on the mapping relationship, wherein the mapping sequence comprises the attack strength of any behavior type contained in the attack behavior at different attack time points;
based on the mapping sequence, a first attack array aiming at each attack time point is constructed, and a second attack array aiming at the same behavior type is constructed;
determining a first reference importance of the first attack array;
Figure SMS_14
;
wherein ,
Figure SMS_15
representing a total attack type contained in a first attack array corresponding to the attack time point; />
Figure SMS_16
The ^ h or greater in the first attack array indicating the corresponding attack time point>
Figure SMS_17
Attack strength under each attack type; />
Figure SMS_18
Representing the maximum attack corresponding to the corresponding attack time pointImpact strength; />
Figure SMS_19
Representing the sign of an exponential function; />
Figure SMS_20
The ^ h or greater in the first attack array indicating the corresponding attack time point>
Figure SMS_21
Attack weights for each attack type;
determining a second reference importance of the second attack array;
Figure SMS_22
; wherein ,/>
Figure SMS_23
Representing attack time points contained in the corresponding second attack array; />
Figure SMS_24
Representing the attack strength aiming at the same behavior type at the j1 st attack time point in the corresponding second attack array; />
Figure SMS_25
Representing a maximum attack strength in the corresponding second attack array; />
Figure SMS_26
Representing the attack weight corresponding to the same behavior type corresponding to the second attack array;
extracting a first maximum reference degree from all the first reference importance degrees and extracting a second maximum reference degree from all the second reference degrees;
when the first maximum reference degree is smaller than a first preset degree and the second maximum reference degree is smaller than a second preset degree, judging that no terminal with the attack and the sink exists;
otherwise, deploying the important time point corresponding to the first reference importance degree larger than the first preset degree and the important attack type corresponding to the second reference importance degree larger than the second preset degree on the bait file, and locking the terminal corresponding to the deployed bait file as the attacked terminal.
In this embodiment, the preset attack events are preset and are obtained by combining historical attack events based on the history, and each attack event is associated with a corresponding attack behavior, for example, the attack behavior is: attack firewall and the adopted attack mode (virus implantation mode, etc.), the attack event is: and the attack firewall steals the credit card information and the attack strength corresponding to the attack mode, and the like.
In this embodiment, any behavior type may be different protection systems that attack the terminal, or different attack modes are used to attack the same protection system, so that there is a possibility that different attack time points may match multiple behavior types, and thus, a first attack array [ time point 1: behavior type 1 and attack strength behavior type 2 and attack strength behavior type 3 and attack strength.
In this embodiment, the second attack number group: [ attack type 1: attack strength of time point 1 attack strength of time point 2.
In this embodiment, in the process of determining the importance of the attack array, the importance is calculated according to different calculation formulas, so that the first reference importance and the second reference importance can be obtained.
In this embodiment of the present invention,
Figure SMS_27
and the cumulative sum of the attack weights for all behavior types in each second attack array is less than or equal to 1.
In this embodiment, the first predetermined degree and the second predetermined degree are both preset.
The beneficial effects of the above technical scheme are: the method comprises the steps of establishing mapping relation between behaviors and events to obtain a mapping sequence, establishing attack arrays of different time points and attack arrays of different behavior types through the sequence to respectively determine corresponding reference importance degrees and provide a basis for determining the attacked terminal, wherein the attacked terminal is indirectly locked by deploying the existing important time points and the important attack types.
The invention provides a threat detection method based on https proxy, which further comprises the following steps in the process of modifying the identity information of the attacked and trapped terminal:
acquiring attack deployment information on a bait file corresponding to the attacked terminal, determining point distribution of important time points contained in the attack deployment information, determining an attack time range and acquiring total attack times of each single attack type in the point distribution;
screening an overlapping attack type and a non-overlapping attack type from important attack types based on important time points and important attack types based on the attack deployment information, and determining a current value of each first attack type;
acquiring possible identity attack sections matched with the identity information of the user, extracting a value set matched with each possible identity attack section from all current values, and obtaining the change probability of each possible identity attack section;
when the change probability is larger than the preset probability, judging that the possible attack section of the corresponding identity needs to be modified;
after the possible identity attack sections needing to be modified are judged, the individual anti-attack capability of each modification attack section and the comprehensive anti-attack capability of all the modification attack sections are determined;
and when the single anti-attack capability and the comprehensive anti-attack capability both meet the attacked standard, judging that the modification is successful, and otherwise, continuously modifying.
In the embodiment, the attack behavior corresponds to the attack file, and the sensitivity of the attack file.
In this embodiment, if the terminal locked by the deployed decoy file is terminal 1, then terminal 1 is a compromised terminal.
In this embodiment, the attack deployment information is the important time point of deployment and the attack information corresponding to the important time point, the important attack type, the attack strength information of the important attack type, and the like.
In this embodiment, the point distribution refers to a distribution position of the important time points based on the time axis, for example, the distribution position of the important time points based on the time axis is: the attack type of the attack system comprises a position 01, a position 03, a position 04 and a position 08, wherein the time periods corresponding to the position 01, the position 03 and the position 04 are attack time ranges, and the single attack type refers to the total attack times aiming at the same attack type in the point distribution, namely the sum of the attack times aiming at the same attack type at each time point in the point distribution is obtained.
In the embodiment, the total attack times are sequenced, the attack types can be obtained through preliminary screening, and the attack types are further obtained through locking the attack time range;
for example, within the attack time range: time point 01: attack type 1, 2, time point 03: attack type 1, 2, 3, time point 04: attack types 1, 3, 4, the total attack times of the attack type 1 determined for the point distribution is: 4, the total attack frequency of the attack type 2 is 3, the total attack frequency of the attack type 3 is 2, the total attack type of the attack type 4 is 2, and at this time, the obtained important attack types of the important time points are as follows: type 1 and type 2.
Determining an important attack type based on an important time point according to the attack time range and the total attack times, and simultaneously determining the important attack type in the attack deployment information;
in this embodiment, the important attack types based on the attack deployment information are, for example, types 1 and 4, at this time, the overlapping attack type is type 1, and the non-overlapping attack type is types 2 and 4.
In this embodiment, the first attack type is each of an overlapping attack type and a non-overlapping attack type, and the current value is the attack strength corresponding to the first type.
Since there are a plurality of privacy information in the identity information, there are a plurality of possible attack segments of identity, and therefore, by determining the attack type matching the possible attack segment of identity, the matched value set is extracted from the current value, for example, the attack types for the possible attack segment of identity 1 are a1 and a2, at this time, it is necessary to extract the values matching the attack types a1 and a2 from the current value to combine into the value set, and determine the modification probability.
In this embodiment of the present invention,
Figure SMS_28
the value of the preset probability is generally 0.5.
Individual attack protection = (original protection + improved protection after modification)
Figure SMS_29
(1 + adjustment factor), wherein the value range of the adjustment factor is [ -0.1,0.1]。
Integrated attack resistance = the cumulative sum of all individual attack resistances
Figure SMS_30
(1-integrated loss factor).
In this embodiment, the attack criterion is preset, and may be an anti-attack threshold, so as to determine whether the modification is successful.
In this embodiment, the modification of the segment which may be attacked by the identity may be to perform fixed encryption again on the information which is encrypted in the segment, or to perform encryption on information which does not have encryption in advance, or to perform character change on original data itself, and so on.
The beneficial effects of the above technical scheme are: and determining whether the modification is successful or not by judging, modifying and re-determining the modified capability, thereby ensuring the anti-attack reliability.
The invention provides a threat detection system based on https agents, and as shown in fig. 2, the system is deployed and implemented on gateway equipment in a module form by relying on existing gateway equipment. The system consists of a user management module, an https agent module, a certificate management module, a threat warning module and a bait generation module. The user tube module is responsible for user login, provides a gateway device access interface, and realizes functions of user interaction, policy management, file management and the like. The https agent module is used as an https broker, establishes https connection with the terminal and the two ends of the https website respectively, and exchanges data received by the https broker module. And the certificate management module provides a corresponding domain name certificate for https security verification according to the strategy and the domain name, wherein a CA certificate of the gateway is generated and needs to be imported to a certificate authority trusted by the terminal browser. And the threat warning module receives the decrypted flow provided by the https agent, analyzes https data, judges whether the data is a user name and a password preset in the bait module, and if the data is consistent, associates the terminal equipment and gives an alarm. And the bait generation module generates a bait file according to the ip address, the mac address and the domain name range of the destination website.
As shown in fig. 3, which is a schematic connection diagram of a system, the specific implementation contents include:
1. logging in a user management module, sequentially adding a domain name of a target website 1-website n, a preset user name Ua and a password Pa, and importing a signature certificate and a private key of the target website; sequentially adding IP addresses and MAC addresses of terminals 1-m; and initializing a certificate management module to generate a gateway CA certificate and a private key.
2. And calling a bait generation module, and generating a bait file according to the terminal ip address, the mac address and the target website domain name set, wherein the bait file content comprises a website https domain name, a generated user name NUa and a generated password NPa.
3. And deploying the terminal decoy file to the terminal, and importing the gateway CA certificate to a certificate authority trusted by the browser.
4. After the attacker permeates the terminal, searching the bait file, acquiring the domain name login information of the bait file, and logging in the https target website.
5. The https agent module detects that an https website is logged in, sends a domain name to the certificate management module, the certificate management module detects the domain name, and if the domain name is a known target website, returns a target website certificate; and if the website is an unknown website, generating a new certificate signature application according to the domain name, signing by using a private key corresponding to the CA certificate, and returning to the domain name certificate. The https proxy module then establishes an https connection with the previous domain name in the https client role. And the https agent module is used as an https broker to establish https connection with the terminal and the two ends of the https website respectively.
6. And the https agent module forwards the decrypted domain name traffic data packet to the threat warning module in real time.
7. The threat warning module analyzes the https plaintext data and detects the plaintext data in real time according to configuration rules; after matching the http domain name, the user name NUa and the password NPa information of the website, associating the ip address and the mac address of the terminal equipment, and sending alarm information; and simultaneously modifying the information of the https domain name, the user name NUa and the password NPa, setting the information as the information of the https domain name, the user name Ua and the password Pa, and sending the information to the https agent module.
8. And the https agent module forwards data to the target website to log in the target website by presetting a user name and a password.
The beneficial effects are as follows: the adaptive certificate matching mechanism adopts an adaptive certificate matching mechanism, the https certificate can be signed and verified through a browser, and no prompt warning information exists, so that the monitoring behavior cannot be perceived by an attacker, and the https flow is ensured to be monitored in a concealed mode; the attacked and trapped terminal can be quickly matched after https flow is decrypted because bait files are bound with terminal information one by one; the method and the device prevent an attacker from using the information in the bait file and being incapable of logging in a target website in other networks because the password and password information in the bait file revealing the user information are converted, thereby preventing information leakage.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (8)

1. A threat detection method based on https agents is characterized by comprising the following steps:
step 1: constructing an adaptive https certificate adaptation mechanism;
step 2: in the https interaction process, based on the adaptive https certificate adaptation mechanism, carrying out hidden monitoring on the attack behavior of an attacker, and acquiring the attack behavior of the attacker;
and step 3: analyzing the attack behavior, and positioning the attacked and trapped terminal based on the bait file of the terminal;
and 4, step 4: and modifying the identity information of the attacked terminal.
2. The https agent-based threat detection method of claim 1, wherein constructing an adaptive https certificate adaptation mechanism comprises:
deploying matched website domain name signing certificates to different gateways;
and adding the gateway self-signed certificate to a trusted certificate authority in the terminal, and constructing a self-adaptive https certificate adaptation mechanism.
3. The https agent-based threat detection method of claim 1, wherein in the process of blindly monitoring the attack behavior of an attacker based on the adaptive https certificate adaptation mechanism, comprising:
when an attacker accesses the https domain name in the file bait, the browser does not have any prompting warning information;
when the gateway interacts with a terminal, an https certificate is provided in a self-adaptive manner according to an access domain name, https encrypted traffic is decrypted through an https agent module, and detection and alarm are performed on attack threats;
and (5) reassembling the https data packet and sending the https data packet to a target website.
4. The https-agent-based threat detection method of claim 1, wherein locating the attacked terminal before based on the bait file for the terminal, further comprises:
calling a bait generation module, and generating a bait file according to the ip address of the terminal, the mac address and the domain name set of the target website;
deploying the bait files to matched terminals, wherein each terminal has a unique bait file;
the bait file comprises a website https domain name, a generated user name NUa and a generated password NPa.
5. The https agent-based threat detection method of claim 1, wherein in parsing the attack behavior and locating the compromised terminal based on the bait file for the terminal, further comprising:
searching a bait file of the terminal after detecting that the attacker permeates into the terminal, acquiring domain name login information of the bait file, and logging in an https target website;
when the https target website is detected to be logged in, acquiring a domain name of the https target website, and judging whether the https target website is a known website;
if so, returning a target website certificate of the https target website;
and if the https target website is an unknown website, generating a new certificate signature application according to the domain name of the https target website, using a key corresponding to the CA certificate to sign and return a domain name certificate, and establishing https connection with the terminal and the https target website as an intermediate client.
6. The https agent-based threat detection method of claim 1, wherein modifying the identity information of the compromised terminal comprises:
decrypting https encrypted traffic of the appointed monitoring terminal to obtain https plaintext data;
detecting the https plaintext data in real time according to a configuration rule, associating an ip address and a mac address of a terminal after matching with information of a website https domain name, a user name NUa and a password NPa, and sending alarm information;
and meanwhile, modifying the information of the https domain name, the user name NUa and the password NPa of the attacked terminal into the information of the https new domain name, the user name Ua and the password Pa.
7. The https agent-based threat detection method of claim 1, wherein parsing the attack behavior and locating a compromised terminal based on a bait file for the terminal comprises:
mapping the attack behavior with a preset attack event, and determining a mapping sequence based on the mapping relationship, wherein the mapping sequence comprises the attack strength of any behavior type contained in the attack behavior at different attack time points;
based on the mapping sequence, a first attack array aiming at each attack time point is constructed, and a second attack array aiming at the same behavior type is constructed;
determining a first reference importance of the first attack array;
Figure QLYQS_1
;
wherein ,
Figure QLYQS_2
representing a total attack type contained in a first attack array corresponding to the attack time point; />
Figure QLYQS_3
^ th ^ in a first attack array indicating a corresponding attack time point>
Figure QLYQS_4
Attack strength under each attack type; />
Figure QLYQS_5
Representing the maximum attack strength corresponding to the corresponding attack time point; />
Figure QLYQS_6
Represents the sign of an exponential function; />
Figure QLYQS_7
The ^ h or greater in the first attack array indicating the corresponding attack time point>
Figure QLYQS_8
Attack weights for each attack type;
determining a second reference importance of the second attack array;
Figure QLYQS_9
; wherein ,/>
Figure QLYQS_10
Representing attack time points contained in the corresponding second attack array; />
Figure QLYQS_11
Representing the attack strength aiming at the same behavior type at the j1 th attack time point in the corresponding second attack array;
Figure QLYQS_12
representing a maximum attack strength in the corresponding second attack array; />
Figure QLYQS_13
Representing the attack weight corresponding to the same behavior type corresponding to the second attack array;
extracting a first maximum reference degree from all the first reference importance degrees and extracting a second maximum reference degree from all the second reference degrees;
when the first maximum reference degree is smaller than a first preset degree and the second maximum reference degree is smaller than a second preset degree, judging that no attacking and sinking terminal exists;
otherwise, deploying the important time point corresponding to the first reference importance degree larger than the first preset degree and the important attack type corresponding to the second reference importance degree larger than the second preset degree on the bait file, and locking the terminal corresponding to the deployed bait file as the attacked terminal.
8. The https agent-based threat detection method of claim 6, wherein in modifying the identity information of the compromised terminal, further comprising:
acquiring attack deployment information on a bait file corresponding to the attacked terminal, determining point distribution of important time points contained in the attack deployment information, determining an attack time range and acquiring the total attack times of each single attack type in the point distribution;
determining an important attack type based on an important time point according to the attack time range and the total attack times, and simultaneously determining the important attack type in the attack deployment information;
screening an overlapping attack type and a non-overlapping attack type from important attack types based on important time points and important attack types based on the attack deployment information, and determining a current value of each first attack type;
acquiring possible identity attack sections matched with the identity information of the user, extracting a value set matched with each possible identity attack section from all current values, and obtaining the change probability of each possible identity attack section;
when the change probability is larger than the preset probability, judging that the possible attack section of the corresponding identity needs to be modified;
after the possible identity attack sections needing to be modified are judged, the individual anti-attack capability of each modification attack section and the comprehensive anti-attack capability of all the modification attack sections are determined;
and when the single anti-attack capability and the comprehensive anti-attack capability both meet the attacked standard, judging that the modification is successful, and otherwise, continuously modifying.
CN202310258996.5A 2023-03-17 2023-03-17 Threat detection method based on https agent Active CN115987686B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310258996.5A CN115987686B (en) 2023-03-17 2023-03-17 Threat detection method based on https agent

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310258996.5A CN115987686B (en) 2023-03-17 2023-03-17 Threat detection method based on https agent

Publications (2)

Publication Number Publication Date
CN115987686A true CN115987686A (en) 2023-04-18
CN115987686B CN115987686B (en) 2023-06-06

Family

ID=85970804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310258996.5A Active CN115987686B (en) 2023-03-17 2023-03-17 Threat detection method based on https agent

Country Status (1)

Country Link
CN (1) CN115987686B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160359882A1 (en) * 2015-06-08 2016-12-08 Illusive Networks Ltd. Managing dynamic deceptive environments
CN109218260A (en) * 2017-07-03 2019-01-15 深圳市中兴微电子技术有限公司 A kind of authentication protection system and method based on dependable environment
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN113542262A (en) * 2021-07-13 2021-10-22 北京华圣龙源科技有限公司 Intelligent early warning method and device for information security threat of information system
US20210409446A1 (en) * 2020-06-24 2021-12-30 Fortinet, Inc. Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file
CN114915493A (en) * 2022-06-22 2022-08-16 云南电网有限责任公司 Trapping deployment method based on power monitoring system network attack
CN115277068A (en) * 2022-06-15 2022-11-01 广州理工学院 Novel honeypot system and method based on deception defense

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160359882A1 (en) * 2015-06-08 2016-12-08 Illusive Networks Ltd. Managing dynamic deceptive environments
CN109218260A (en) * 2017-07-03 2019-01-15 深圳市中兴微电子技术有限公司 A kind of authentication protection system and method based on dependable environment
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
US20210409446A1 (en) * 2020-06-24 2021-12-30 Fortinet, Inc. Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file
CN113542262A (en) * 2021-07-13 2021-10-22 北京华圣龙源科技有限公司 Intelligent early warning method and device for information security threat of information system
CN115277068A (en) * 2022-06-15 2022-11-01 广州理工学院 Novel honeypot system and method based on deception defense
CN114915493A (en) * 2022-06-22 2022-08-16 云南电网有限责任公司 Trapping deployment method based on power monitoring system network attack

Also Published As

Publication number Publication date
CN115987686B (en) 2023-06-06

Similar Documents

Publication Publication Date Title
Wheeler et al. Techniques for cyber attack attribution
US9628511B2 (en) System and method for identification and blocking of unwanted network traffic
Fadlullah et al. DTRAB: Combating against attacks on encrypted protocols through traffic-feature analysis
US7370354B2 (en) Method of remotely managing a firewall
Mirkovic et al. A taxonomy of DDoS attack and DDoS defense mechanisms
Durcekova et al. Sophisticated denial of service attacks aimed at application layer
US8413248B2 (en) Method for secure single-packet remote authorization
US8881281B1 (en) Application and network abuse detection with adaptive mitigation utilizing multi-modal intelligence data
US20030204728A1 (en) Steganographically authenticated packet traffic
Miller et al. Traffic classification for the detection of anonymous web proxy routing
CN115051836A (en) APT attack dynamic defense method and system based on SDN
Atighetchi et al. Attribute-based prevention of phishing attacks
Miller et al. Securing the internet through the detection of anonymous proxy usage
Singh et al. A survey on phishing and anti-phishing techniques
Abdul-Mumin Detection of man-in-the-middle attack in IEEE 802.11 networks
CN115987686B (en) Threat detection method based on https agent
Jadidoleslamy Weaknesses, Vulnerabilities and Elusion Strategies Against Intrusion Detection Systems
Fadlullah et al. Combating against attacks on encrypted protocols
Reti et al. Honey Infiltrator: Injecting Honeytoken Using Netfilter
Jansky et al. Hunting sip authentication attacks efficiently
Pandey et al. Comprehensive security mechanism for defending cyber attacks based upon spoofing and poisoning
Choudhary et al. Detection and Isolation of Zombie Attack under Cloud Computing
Mavrommatis Confronting and intrusion detection techniques of cyber-attacks in wired and wireless communication networks
Holik Protecting IoT Devices with Software-Defined Networks
Verwoerd Active network security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant