WO2017101874A1 - Detection method for apt attack, terminal device, server and system - Google Patents

Detection method for apt attack, terminal device, server and system Download PDF

Info

Publication number
WO2017101874A1
WO2017101874A1 PCT/CN2016/110469 CN2016110469W WO2017101874A1 WO 2017101874 A1 WO2017101874 A1 WO 2017101874A1 CN 2016110469 W CN2016110469 W CN 2016110469W WO 2017101874 A1 WO2017101874 A1 WO 2017101874A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
information
preset
gray
terminal device
Prior art date
Application number
PCT/CN2016/110469
Other languages
French (fr)
Chinese (zh)
Inventor
江爱军
张聪
Original Assignee
北京奇虎科技有限公司
北京奇安信科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 北京奇安信科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2017101874A1 publication Critical patent/WO2017101874A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • APT attack detection method terminal device, server and system
  • the present invention relates to the field of information security technologies, and in particular, to a method, a terminal device, a server, and a system for detecting an APT attack. Background technique
  • APT Advanced Persi stent Threat
  • APT attack is more advanced and advanced than other forms of attack. Its advanced nature is mainly reflected in the need for APT to accurately collect the business process and target system of the attack object before launching the attack. During this collection, the attack actively exploits the vulnerabilities of the systems and applications trusted by the attacking object. These vulnerabilities are used to build the network required by the attacker and exploit the Oday vulnerability.
  • the means of APT attacks is to hide themselves, steal data from specific objects for a long time, in a planned and organized manner. This kind of stealing of information and intelligence gathering in digital space is a kind of "cyber espionage".
  • the present invention provides an APT attack detection method, a terminal device, a server, and a system, and the main purpose thereof is to solve the APT attack when the APT attack is manually detected, and the APT attack cannot be detected quickly and accurately, and the latent APT attack may be missed. Therefore, it may seriously threaten the security of computer data information.
  • the present invention provides a method for detecting an APT attack, including: the terminal device records attribute information of a preset file in a local area network; wherein, the attribute information of the preset file includes identification information, time information, Source information and transfer target information;
  • the preset file is the gray file, determining whether the gray file triggers a preset abnormal behavior rule
  • the gray file triggers the preset abnormal behavior rule, sending, to the server, the abnormal warning information of the gray file triggering preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device.
  • the present invention provides a method for detecting an APT attack, including: The server receives the attribute information of the gray file reported by each terminal device in the local area network; wherein the attribute information of the gray file includes the identification information, the source information, the flow destination information, and the time information;
  • the abnormal warning Obtaining the gray file of the terminal device in the preset time period according to the identifier information of the terminal device included in the abnormal warning information when receiving the abnormal warning information sent by the terminal device in the local area network; the abnormal warning The information is generated according to the gray file triggering a preset abnormal behavior rule;
  • a flow path of the gray file Acquiring, according to the attribute information of the gray file reported by each terminal device in the local area network, a flow path of the gray file; wherein, the flow path is to serially source the source information and the flow target information of the gray file in chronological order Forming.
  • the present invention provides a terminal device, including:
  • a first recording unit configured to record attribute information of a preset file in the local area network, where the attribute information of the preset file includes identification information, time information, source information, and flow target information;
  • a first determining unit configured to determine, according to the attribute information recorded by the first recording unit, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file , there is also no blacklist of the preset file;
  • a second determining unit configured to: when the first determining unit determines that the preset file is the gray file, determine whether the gray file triggers a preset abnormal behavior rule;
  • a first sending unit configured to: when the second determining unit determines that the gray file triggers the preset abnormal behavior rule, send, to the server, abnormal warning information that triggers the preset abnormal behavior rule by the gray file;
  • the abnormal warning information includes identification information of the terminal device.
  • the present invention provides a server, including:
  • the first receiving unit is configured to receive the attribute information of the gray file reported by each terminal device in the local area network, where the attribute information of the gray file includes the identification information, the source information, the flow destination information, and the time information;
  • a first acquiring unit configured to: when receiving the abnormal warning information sent by the terminal device in the local area network, obtain, according to the identifier information of the terminal device included in the abnormal warning information, the terminal device in a preset time period a gray file; the abnormal warning information is generated according to the gray file triggering preset abnormal behavior rule; the second obtaining unit is configured to acquire, according to the gray file identifier information received by the first receiving unit, the local area network Attribute information of the gray file reported by each terminal device;
  • a third obtaining unit configured to acquire a flow path of the gray file according to the attribute information of the gray file reported by each terminal device in the local area network acquired by the second acquiring unit, where the flow path is a
  • the source information of the gray file and the flow target information are formed in tandem in chronological order.
  • the present invention provides a detection system for an APT attack, the system comprising: the terminal device as described above and the server as described above.
  • a computer program comprising computer readable code, when the computer readable code is run on a computing device, causes the computing device to perform the detection method of the APT attack described above.
  • a computer readable medium wherein the above meter is stored Computer program.
  • the APT attack detection method, the terminal device, the server, and the system provided by the present invention when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein, the attribute of the preset file
  • the information includes the identification information, the time information, the source information, and the flow destination information.
  • the content of the preset file is determined to be a gray file according to the attribute information.
  • the gray file is neither in the white list of the preset file.
  • the preset file determines whether the gray file triggers a preset abnormal behavior rule; if the gray file triggers the preset The abnormal behavior rule sends the abnormal warning information of the gray file to the preset abnormal behavior rule to the server; wherein the abnormal warning information includes the identification information of the terminal device; and the method for manually detecting the APT attack by using the prior art
  • the abnormal behavior of the gray file triggers the preset abnormal behavior rule in the present invention
  • the terminal sends an abnormal warning message to the server, and the server obtains the flow path of the gray file according to the identification information of the gray file reported by each terminal in the local area network, and obtains the gray file according to the flow path to perform the time information and source information of the local area network, which can be fast, Accurate detection of APT attacks.
  • FIG. 1 is a flowchart of a method for detecting an APT attack according to an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for detecting an APT attack according to an embodiment of the present invention
  • FIG. 3 is a block diagram showing a composition of a terminal device according to an embodiment of the present invention
  • FIG. 4 is a block diagram showing the composition of another terminal device according to an embodiment of the present invention.
  • FIG. 5 is a block diagram showing the composition of a server according to an embodiment of the present invention.
  • FIG. 6 is a block diagram showing the composition of another server according to an embodiment of the present invention.
  • FIG. 7 is a block diagram showing the composition of an APT attack detection system according to an embodiment of the present invention.
  • Figure 8 is a block diagram schematically showing a computing device for performing a detection method of an APT attack according to the present invention
  • Fig. 9 schematically shows a storage unit for holding or carrying program code for implementing the detection method of the APT attack according to the present invention. detailed description
  • An embodiment of the present invention provides a method for detecting an APT attack, and the method is applied to a terminal device side. As shown in FIG. 1, the method includes:
  • the terminal device records attribute information of a preset file in the local area network.
  • a plurality of terminal devices are included, and each terminal device records attribute information of the preset file, where the attribute information of the preset file includes identification information, time information, source information, and flow destination information;
  • the preset file refers to a file downloaded from a network or obtained by wired or wireless transmission from a USB flash drive, a hard disk, or a smart phone; the network download includes but is not limited to the following contents, for example: website download, mail download, Network sharing and more.
  • the embodiment of the present invention does not limit the source of the preset file and the specific type of the preset file.
  • the terminal device To ensure that the terminal device records the accuracy of the preset file attribute information, when the terminal device receives the preset file for the first time, the attribute information of the preset file is recorded, and when the terminal device records the attribute information of the preset file, only Recording once; before the attribute information of the preset file is recorded, the security level of the preset file cannot be determined, therefore, the attribute information of all the preset files in the terminal device needs to be recorded; wherein, the preset file
  • the security level includes: a whitelist file, a blacklist file, and a gray file.
  • the gray file is a file that is neither a whitelist nor a blacklist.
  • the embodiment of the present invention records the attribute information of the preset file in the local area network.
  • the specific timing and security level of the preset file are not limited.
  • the preset file I is transmitted to the terminal device A by the user using the U disk on March 4, 2015, and the terminal device A is on May 28, 2015.
  • the preset file I is sent to the terminal device B and the terminal device C by means of mail.
  • the terminal device A records the attribute information of the preset file, including: the preset file identification information is WJ-001, the time information is March 4, 2015, the source information is U disk, and the flow destination information is The terminal device B and the terminal device C; the terminal device B records the attribute information of the preset file, including: the preset file identification information is WJ-001, the time information is May 28, 2015, the source information is the terminal device A, and the flow destination information If the terminal device C records the attribute information of the preset file, the preset file identification information is WJ-001, the time information is May 28, 2015, the source information is terminal device A, and the flow destination information is none.
  • the specific content of the attribute information of the preset file recorded by the terminal device is not limited in the embodiment of the present invention.
  • the terminal device determines, according to the attribute information, whether the preset file is a gray file.
  • the security level of the preset file is determined based on the attribute information of the preset file recorded in step 101. If the preset file is a whitelist file, the preset file is safe, and the APT cannot exist in the preset file. If the preset file is a blacklist file, the preset file is a dangerous file, and the preset file is filtered or deleted. If the preset file is a gray file, the risk factor of the preset file is unknown. . Therefore, the gray file needs to be tracked.
  • the terminal device determines whether the gray file triggers a preset abnormal behavior rule.
  • the APT attack After determining that the preset file is a gray file, if there is no abnormal behavior during the flow of the gray file between the terminal devices in the local area network, the APT attack does not exist in the gray file; if the file is in the local area If an abnormal behavior occurs during the process of transferring between terminal devices in the network, the APT attack may exist in the gray file.
  • the APT attack has a high degree of concealment, and the time for initiating an APT attack is uncertain. Therefore, in the embodiment of the present invention, the terminal device monitors the gray file to determine whether the gray file triggers the preset abnormal behavior rule.
  • the preset abnormal behavior rule is an empirical value.
  • the abnormal behavior rule may include, but is not limited to, the following content, for example: access rights of the gray file, execution time of the gray file, and the like.
  • the finance department will have corresponding access rights
  • the R&D department will have corresponding access rights.
  • the gray file in the terminal device of the R&D part is To access the finance department, the gray file triggers the preset abnormal behavior rule.
  • the terminal device has a fixed working time. Assume that the working time of the terminal device is 09: 00-17: 30. If the gray file in the terminal device is automatically executed at 22: 00, the gray file triggers the preset abnormality. Rules of conduct.
  • the specific setting content of the preset abnormal behavior rule is not specifically limited in the embodiment of the present invention.
  • the terminal device sends the abnormal warning information of the gray file triggering preset abnormal behavior rule to the server.
  • the terminal device determines that the APT attack may be generated in the gray file, and therefore, the terminal device sends abnormal warning information to the server for the abnormal behavior, where the abnormal warning information includes the terminal device. Identification information.
  • the APT attack detection method when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein the attribute information of the preset file includes the identification information, the time information, the source information, and Flowing the target information; determining, according to the attribute information, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file, nor is the black of the preset file If it is determined that the preset file is the gray file, determining whether the gray file triggers a preset abnormal behavior rule; if it is determined that the gray file triggers a preset abnormal behavior rule, sending the gray to the server The file triggers the abnormal warning information of the preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device; compared with the manner of manually detecting the APT attack in the prior art, the gray file is used in the embodiment of the present invention.
  • the terminal sends an abnormal warning message to the server.
  • the server obtains the flow path of the gray file according to the identification information of the gray file reported by each terminal in the local area network, and obtains the gray file according to the flow path to perform time information and source information of the local area network, so that the APT attack can be detected quickly and accurately.
  • the terminal device records the attribute information of the preset file in the local area network in step 101, which can be implemented by using, but not limited to, the following manners:
  • Method 1 Record the attribute information of the preset file in the local area network based on the preset driver.
  • the preset driver automatically recognizes the preset file and records the attribute information of the preset file; in the specific operation, the preset driver may include The embodiment of the present invention does not limit the specific type of the preset driver.
  • Manner 2 The attribute information of the preset file in the local area network is recorded based on the preset gateway device.
  • the preset gateway device automatically recognizes the preset file, and records the attribute information of the preview file.
  • the terminal device reports the gray file trigger to the server. If the preset file is a gray file and the gray file triggers the preset abnormal behavior rule, the preset gateway device The server reports the gray file to trigger the abnormal warning information of the preset abnormal behavior rule.
  • the gray file in the terminal device is traced in time. Therefore, before the terminal device sends the gray file to trigger the abnormal warning information of the preset abnormal behavior rule.
  • the terminal device records the time information, the source information, and the flow destination information of the gray file according to the identification information of the gray file, and the terminal device sends the time information, the source information, and the flow destination information of the recorded gray file to the server.
  • a plurality of gray files may exist in the same terminal device, and the terminal device needs to record the time information, the source information, and the flow destination information of the gray file according to different identification information of each gray file.
  • Each terminal device in the local area network reports the time information, source information, and flow destination information of the gray file to the server to ensure the integrity and accuracy of the flow path of the server when it traces the flow path of the gray file.
  • the specific process is as follows: After the terminal device records the attribute information of the preset file, the attribute information is sent to the cloud killing server, and the cloud killing server The blacklist and the whitelist of the preset file are recorded. After receiving the attribute information of the preset file, the cloud search server obtains the identifier information in the attribute information, and traverses the blacklist and the whitelist based on the identifier information, if the identifier information If the blacklist is in the blacklist, the preset file corresponding to the identifier information is directly filtered.
  • the preset file corresponding to the identifier information is determined to be a security file; if the identifier information does not exist, If the whitelist is not in the blacklist, the preset file corresponding to the identifier information is determined to be a gray file.
  • the cloud killing server returns the identifier information of the gray file to the terminal device, so that the terminal device can The attribute information of the gray file is recorded and reported to the server.
  • the preset abnormal behavior rule is generated, and the preset abnormal text rule is used to determine whether the gray file has an abnormal behavior.
  • determining, by the terminal device, whether the gray file triggers the preset abnormal behavior rule specifically includes: acquiring a preset abnormal behavior rule, determining whether the gray file has an abnormal behavior, and determining whether the abnormal behavior triggers the pre-action Set abnormal behavior rules.
  • the preset abnormal behavior rule includes: When the abnormal execution time of the gray file exceeds one time, the gray file triggers the preset abnormal behavior rule, and the abnormal execution time is 22: 00-day 05 : 00; If the gray file is executed once at 23: 00, the terminal device determines that the execution of the gray file is an abnormal behavior, and checks whether the gray file is abnormally executed more than once within one day; if the gray file is abnormal If the execution is one time, the abnormal warning information will not be reported to the server. If the abnormal execution of the gray file is performed twice, the abnormal warning information is reported to the server.
  • Another embodiment of the present invention provides a method for detecting an attack.
  • the method is applied to the server side. As shown in FIG. 2, the method includes:
  • the server receives the attribute information of the gray file reported by each terminal device in the local area network.
  • the attribute information of the gray file includes the identifier information, the source information, the flow destination information, and the time information.
  • the server obtains the gray file in the preset time period according to the identifier information of the terminal device included in the abnormal warning information when receiving the abnormal warning information sent by the terminal device in the local area network.
  • the terminal device When the terminal device reports an abnormality warning, it indicates that the APT attack may be generated in the gray file in the terminal device, and the abnormal warning information is generated according to the preset abnormal behavior rule triggered by the gray file;
  • the server receives the abnormal warning information sent by the terminal device, the server obtains the terminal device at the preset time according to the identification information of the terminal device included in the abnormal warning information. All gray files in the segment, and obtain identification information corresponding to all gray files.
  • the preset time period is manually set by the LAN operation and maintenance personnel.
  • the preset time period may be set to one week; or, the preset time period may be set to one month, and the specific implementation of the present invention is implemented.
  • the setting of the preset time period is not limited.
  • the server obtains, according to the identifier information of the gray file, the attribute information of the gray file reported by each terminal device in the local area network.
  • the server receives the time information sent by the terminal device.
  • the source information and the flow destination information are used, only the received information is saved, and the flow path of the gray file in the local area network is not concatenated according to the identification information of the gray file. Only when the terminal device sends an abnormal warning message, the server will concatenate the time information, source information and flow destination information of the gray file in the local area network.
  • the server obtains a flow path of the gray file according to the attribute information of the gray file reported by each terminal device in the local area network.
  • the server After obtaining the attribute information of the gray file reported by each terminal device in the local area network, the server sequentially connects the source information of the gray file and the flow destination information according to the identification information of the gray file according to the time sequence; The file's flow path, and the flow path is output, so that the LAN operation and maintenance personnel can find the source of the APT attack.
  • the display when displaying the flow path, is performed in the form of a graph, and the graph includes time information of the gray file flowing in the local area network; or, the flow of the gray file is performed in a time axis manner.
  • the path is displayed.
  • the embodiment of the present invention does not limit the manner in which the output flow path is displayed.
  • the APT attack detection method when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein the attribute information of the preset file includes the identification information, the time information, the source information, and Flowing the target information; determining, according to the attribute information, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file, nor is the black of the preset file If it is determined that the preset file is the gray file, determining whether the gray file triggers a preset abnormal behavior rule; if it is determined that the gray file triggers a preset abnormal behavior rule, sending the The gray file triggers the abnormal warning information of the preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device; compared with the manner of manually detecting the APT attack in the prior art, in the embodiment of the present invention, When the abnormal behavior of the gray file triggers the preset abnormal behavior rule, the terminal sends an abnormal warning message to the server
  • the gray file is obtained according to the gray file.
  • the identification information is used to parse the attribute information of the gray file, determine the time information, the source information, and the flow destination information of the gray file, and serialize the source information of the gray file and the flow destination information according to the order of the time information.
  • the server searches for the attribute information reported by each terminal device according to the identification information HWJ-008, wherein the terminal device that includes the HWJ-008 in the attribute information has a terminal.
  • the information is February 20, 2015, the source information is XXX website, the flow destination information 1; the time information recorded in the terminal device 12 is March 15, 2015, the source information is the terminal device 1, and the flow destination information is the terminal device 45;
  • the recording time information in the terminal device 45 is April 6, 2015, the source information is the terminal device 12, and the flow destination information is none.
  • the server forms a flow path of the gray file whose identification information is HWJ-008: terminal device 8 (February 20, 2015) ⁇ terminal device 1 (March 9, 2015) ⁇ terminal device 12 (2015 March 15) ⁇ Terminal Equipment 45 (April 6, 2015).
  • identification information is HWJ-008: terminal device 8 (February 20, 2015) ⁇ terminal device 1 (March 9, 2015) ⁇ terminal device 12 (2015 March 15) ⁇ Terminal Equipment 45 (April 6, 2015).
  • the above is only an exemplary example.
  • the embodiment of the present invention does not limit the identification information, the source information of the gray file in the local area network, and the flow destination information.
  • the server before receiving the attribute information of the gray file reported by each terminal device in the local area network, receives the preset file sent by the terminal device, and receives a database table sent by the cloud killing server, where the database table is based on the cloud killing database.
  • the whitelist and the blacklist of the preset file are generated.
  • the server determines whether the received preset file is a gray file according to the database table. After determining that the preset file is a gray file, the attribute information of the gray file reported by the terminal device is received.
  • the server determines that the preset file is a gray file, and only receives the attribute information of the gray file, and does not receive the attribute information corresponding to the white list determined by the cloud killing server or the preset file in the blacklist, which can save part of the server. Processing resources; At the same time, there is no APT attack on the preset files in the whitelist, so there is no need to track the preset files.
  • the cloud killing server checks and kills the preset file recorded by the terminal device in real time, determines the security of the preset file, that is, determines whether the preset file is a whitelist file, and black. a list file or a gray file; after determining the type of the preset file, storing it in a database table, and sending the database table to the server according to a preset period; or, after determining the type of the preset file, sending the database table to the real-time table to The server, the embodiment of the present invention does not limit the timing of sending a database table to the server.
  • another embodiment of the present invention further provides a Terminal Equipment.
  • the device embodiment corresponds to the foregoing method embodiment.
  • the device embodiment does not describe the details in the foregoing method embodiments one by one, but it should be clear that the device in this embodiment can implement the foregoing method. All the contents of the example.
  • a terminal device provided by the embodiment of the present invention, as shown in FIG. 3, includes:
  • the first recording unit 31 is configured to record attribute information of the preset file in the local area network, where the attribute information of the preset file includes identification information, time information, source information, and flow target information;
  • a first determining unit 32 configured to determine, according to the attribute information recorded by the first recording unit 31, whether the preset file is a gray file; wherein the gray file is neither present in the white of the preset file There is also no blacklist of the preset files in the list;
  • a second determining unit 33 configured to: when the first determining unit 32 determines that the preset file is the gray file, determine whether the gray file triggers a preset abnormal behavior rule;
  • the first sending unit 34 is configured to: when the second determining unit 33 determines that the gray file triggers the preset abnormal behavior rule, send the abnormal warning information of the gray file triggering preset abnormal behavior rule to the server;
  • the abnormal warning information includes identification information of the terminal device.
  • the first recording unit 31 includes:
  • the first recording module 31 1 is configured to record attribute information of the preset file in the local area network based on the preset driver; and the second recording module 312 is configured to record attribute information of the preset file in the local area network based on the preset gateway device.
  • the terminal device further includes: a second recording unit 35, configured to: before the first sending unit 34 sends the gray file triggering abnormal warning information of the preset abnormal behavior rule to the server And recording, according to the identification information of the gray file, time information, source information, and flow destination information of the gray file;
  • the second sending unit 36 is configured to send the time information, the source information, and the flow target information recorded by the second recording unit 35 to the server.
  • the first determining unit 32 includes:
  • the sending module 321 is configured to send the attribute information to the cloud killing server, so that the cloud checking server determines, according to the attribute information, whether the preset file is the gray file, and when the cloud kills the server When the identifier information of the gray file is returned, determining that the preset file is a gray file;
  • a determining module 322, configured to determine, after the sending module 321 sends the attribute information to the cloud killing server, whether the preset file is grayed out according to whether the cloud checking server sends the identifier information file.
  • the terminal device further includes: a generating unit 37, configured to generate a preset abnormal behavior rule before the second determining unit 33 determines whether the gray file triggers a preset abnormal behavior rule .
  • the second determining unit 33 includes:
  • the obtaining module 331, is configured to obtain the preset abnormal behavior rule
  • the determining module 333 is configured to determine whether the abnormal behavior determined by the determining module 332 triggers the preset abnormal behavior rule acquired by the acquiring module 331. Further, as an implementation of the method shown in FIG. 2, another embodiment of the present invention further provides a server.
  • the device embodiment corresponds to the foregoing method embodiment. For ease of reading, the device embodiment does not describe the details in the foregoing method embodiments one by one, but it should be clear that the device in this embodiment can implement the foregoing method. All the contents of the example.
  • An embodiment of the present invention provides a server, as shown in FIG. 5, including:
  • the first receiving unit 51 is configured to receive the attribute information of the gray file reported by each terminal device in the local area network, where the attribute information of the gray file includes the identification information, the source information, the flow destination information, and the time information.
  • the first obtaining unit 52 And acquiring, when receiving the abnormal warning information sent by the terminal device in the local area network, the gray file in the preset time period according to the identification information of the terminal device included in the abnormal warning information;
  • the abnormal warning information is generated according to the gray file triggering preset abnormal behavior rule;
  • the second obtaining unit 53 is configured to acquire the attribute information of the gray file reported by each terminal device in the local area network according to the identifier information of the gray file received by the first receiving unit 51;
  • the third obtaining unit 54 is configured to acquire, according to the attribute information of the gray file reported by each terminal device in the local area network, the flow path of the gray file, where the flow path is The source information of the gray file and the flow target information are formed in tandem in chronological order.
  • the server further includes: a parsing unit 55, configured to acquire, according to the identifier information of the gray file, the reported by each terminal device in the local area network, respectively, in the second obtaining unit 53 After the attribute information of the gray file, the attribute information of the gray file is parsed according to the identifier information of the gray file;
  • the first determining unit 56 is configured to determine, after the parsing unit 55 parses the attribute information of the gray file according to the identifier information of the gray file, time information, source information, and flow target information of the gray file;
  • the serial unit 57 is configured to serially connect the source information of the gray file and the flow target information according to a sequence of the time information determined by the first determining unit 56;
  • the forming unit 58 is configured to form the flow path of the gray file.
  • the server further includes a second receiving unit 59, configured to receive the terminal before the first receiving unit 51 receives the attribute information of the gray file reported by each terminal device in the local area network. a preset file sent by the device;
  • the third receiving unit 510 is configured to receive a database table sent by the cloud killing server, where the database table is generated by the cloud checking server according to the whitelist and the blacklist of the preset file;
  • a second determining unit 511 configured to determine, according to the database table received by the third receiving unit 510, whether the preset file is the gray file;
  • the first receiving unit 51 is further configured to: when the second determining unit 511 determines that the preset file is the gray file according to the database table, receive attribute information of a gray file reported by each terminal device in the local area network. .
  • the embodiment of the present invention further provides an APT attack detection system.
  • the system includes: the terminal device 71 as shown in any one of FIG. 3 or FIG. 4, and FIG. 5 or FIG. 6 is shown in any of the figures Server 72.
  • the terminal device, the server, and the APT attack detection system provided by the embodiment of the present invention, when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein the attribute information of the preset file includes the identification information and the time.
  • the server sends the gray file to trigger the abnormal warning information of the preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device; compared with the prior art, the method of the invention detects the APT attack manually, and the implementation of the present invention
  • the terminal sends the server to the server.
  • the server obtains the flow path of the gray file according to the identification information of the gray file reported by each terminal in the local area network, and obtains the gray file according to the flow path to perform time information and source information of the local area network, which can quickly and accurately APT attacks are detected.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by an alternative feature that provides the same, equivalent or similar purpose.
  • Various component embodiments of the present invention may be implemented in hardware or on one or more processors
  • Those skilled in the art will appreciate that some or all of the functionality of some or all of the components of the display device for map search results in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or digital signal processor (DSP).
  • DSP digital signal processor
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 8 illustrates a computing device that can implement a method of detecting an APT attack in accordance with the present invention.
  • the computing device conventionally includes a processor 810 and a computer program product or computer readable medium in the form of a memory 820.
  • Memory 820 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk or ROM.
  • Memory 820 has a memory space 830 for program code 831 for performing any of the method steps described above.
  • storage space 830 for program code can include various program code 831 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • Such computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as described with reference to Figure 9.
  • the storage unit can have storage segments, storage spaces, and the like that are similarly arranged to memory 820 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 83, ie, code readable by a processor, such as 810, that when executed by the computing device causes the computing device to perform each of the methods described above step.
  • an embodiment or “an embodiment,” or “one or more embodiments” as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention.
  • the phrase “in one embodiment” herein does not necessarily refer to the same embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Disclosed are a detection method for an APT attack, a terminal device, a server and a system, which relate to the technical field of information security and are primarily used for realizing rapid and precise detection of APT attacks. The primary technical solution of the present invention comprises: a terminal device recording attribute information about a pre-set file in a local area network, wherein the attribute information about the pre-set file comprises identification information, time information, source information, and transfer target information; determining whether the pre-set file is a grey file according to the attribute information, wherein the grey file neither exists in a white list of the pre-set file nor a black list in the pre-set file; if it is determined that the pre-set file is a grey file, then determining whether the grey file has triggered a pre-set abnormal behaviour rule; and if it is determined that the grey file has triggered the pre-set abnormal behaviour rule, sending to a server abnormality alarm information about the grey file having triggered the pre-set abnormal behaviour rule, wherein the abnormality alarm information contains identification information about the terminal device. The present invention is primarily applied in the process of detecting an APT attack.

Description

APT攻击的检测方法、 终端设备、 服务器及系统 技术领域  APT attack detection method, terminal device, server and system
本发明涉及信息安全技术领域, 特别是涉及一种 APT攻击的检测方法、 终端设 备、 服务器及系统。 背景技术  The present invention relates to the field of information security technologies, and in particular, to a method, a terminal device, a server, and a system for detecting an APT attack. Background technique
随着计算机技术的不断发展, 人类社会的信息化程度越来越高, 整个社会对计 算机信息的依赖程度也越来越高。 与此同时, 计算机文件中的安全存在的威胁也在 不断的增长,而高级持续性威胁 (Advanced Persi stent Threat , APT) 成为信息安 全领域最严重的威胁之一, 是一种持续性网络攻击。  With the continuous development of computer technology, the degree of informatization of human society is getting higher and higher, and the degree of dependence of computer society on the whole society is getting higher and higher. At the same time, the threat of security in computer files is growing, and Advanced Persi stent Threat (APT) is one of the most serious threats in information security, and it is a continuous cyber attack.
APT攻击的原理相对于其他攻击形式更为高级和先进,其高级性主要体现在 APT 在发动攻击之前需要对攻击对象的业务流程和目标系统进行精确的收集。 在此收集 的过程中, 此攻击会主动挖掘被攻击对象信任的系统和应用程序的漏洞, 利用这些 漏洞组建攻击者所需的网络, 并利用 Oday漏洞进行攻击。 APT攻击的手段, 在于隐 匿自己, 针对特定对象, 长期、 有计划性和组织性地窃取数据, 这种发生在数字空 间的偷窃资料、 搜集情报的行为, 就是一种"网络间谍"的行为。  The principle of APT attack is more advanced and advanced than other forms of attack. Its advanced nature is mainly reflected in the need for APT to accurately collect the business process and target system of the attack object before launching the attack. During this collection, the attack actively exploits the vulnerabilities of the systems and applications trusted by the attacking object. These vulnerabilities are used to build the network required by the attacker and exploit the Oday vulnerability. The means of APT attacks is to hide themselves, steal data from specific objects for a long time, in a planned and organized manner. This kind of stealing of information and intelligence gathering in digital space is a kind of "cyber espionage".
为了能够将隐藏的 APT攻击检测出来, 以便及时的进行修复, 人们想出各种各 样的方案。 目前常用的技术方案为: 依靠人的经验进行判断, 该种判断方法不能快 速、 精确地检测出 APT攻击, 可能会错过潜伏的 APT攻击, 因此, 可能会严重威胁 计算机数据信息的安全。 发明内容  In order to be able to detect hidden APT attacks in order to repair them in time, people have come up with a variety of solutions. The current common technical solutions are: relying on human experience to judge, this kind of judgment method can not detect APT attacks quickly and accurately, and may miss the latent APT attacks, so it may seriously threaten the security of computer data information. Summary of the invention
有鉴于此, 本发明提供的一种 APT攻击的检测方法、 终端设备、 服务器及系统, 主要目的在于解决人工检测 APT攻击时, 不能快速、 精确地检测出 APT攻击, 可能 会错过潜伏的 APT攻击, 因此, 可能会严重威胁计算机数据信息的安全的问题。  In view of the above, the present invention provides an APT attack detection method, a terminal device, a server, and a system, and the main purpose thereof is to solve the APT attack when the APT attack is manually detected, and the APT attack cannot be detected quickly and accurately, and the latent APT attack may be missed. Therefore, it may seriously threaten the security of computer data information.
依据本发明的一个方面, 本发明提供了一种 APT攻击的检测方法, 包括: 终端设备记录局域网中预置文件的属性信息; 其中, 所述预置文件的属性信息 包括标识信息、 时间信息、 来源信息及流转目标信息;  According to an aspect of the present invention, the present invention provides a method for detecting an APT attack, including: the terminal device records attribute information of a preset file in a local area network; wherein, the attribute information of the preset file includes identification information, time information, Source information and transfer target information;
根据所述属性信息确定所述预置文件是否为灰文件; 其中, 所述灰文件既不存 在于所述预置文件的白名单内, 也不存在所述预置文件的黑名单内;  Determining, according to the attribute information, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file nor in the blacklist of the preset file;
若确定所述预置文件为所述灰文件, 则确定所述灰文件是否触发预置异常行为 规则;  If it is determined that the preset file is the gray file, determining whether the gray file triggers a preset abnormal behavior rule;
若确定所述灰文件触发所述预置异常行为规则, 则向服务器发送所述灰文件触 发预置异常行为规则的异常警示信息; 其中, 所述异常警示信息包含终端设备的标 识信息。  If it is determined that the gray file triggers the preset abnormal behavior rule, sending, to the server, the abnormal warning information of the gray file triggering preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device.
依据本发明的另一个方面, 本发明提供了一种 APT攻击的检测方法, 包括: 服务器接收局域网中各终端设备上报的灰文件的属性信息; 其中, 所述灰文件 的属性信息包括标识信息、 来源信息及流转目标信息、 时间信息; According to another aspect of the present invention, the present invention provides a method for detecting an APT attack, including: The server receives the attribute information of the gray file reported by each terminal device in the local area network; wherein the attribute information of the gray file includes the identification information, the source information, the flow destination information, and the time information;
当接收到所述局域网中终端设备发送的异常警示信息时, 根据所述异常警示信 息中包含的终端设备的标识信息, 获取所述终端设备在预置时间段内的灰文件; 所 述异常警示信息根据所述灰文件触发预置异常行为规则产生;  Obtaining the gray file of the terminal device in the preset time period according to the identifier information of the terminal device included in the abnormal warning information when receiving the abnormal warning information sent by the terminal device in the local area network; the abnormal warning The information is generated according to the gray file triggering a preset abnormal behavior rule;
根据所述灰文件的标识信息分别获取所述局域网中各终端设备上报的所述灰文 件的属性信息;  Obtaining attribute information of the gray file reported by each terminal device in the local area network according to the identifier information of the gray file;
根据所述局域网中各终端设备上报的所述灰文件的属性信息获取所述灰文件的 流转路径; 其中, 所述流转路径是将所述灰文件的来源信息及流转目标信息按照时 间先后顺序串联形成的。  Acquiring, according to the attribute information of the gray file reported by each terminal device in the local area network, a flow path of the gray file; wherein, the flow path is to serially source the source information and the flow target information of the gray file in chronological order Forming.
依据本发明的再一个方面, 本发明提供了一种终端设备, 包括:  According to still another aspect of the present invention, the present invention provides a terminal device, including:
第一记录单元, 用于记录局域网中预置文件的属性信息; 其中, 所述预置文件 的属性信息包括标识信息、 时间信息、 来源信息及流转目标信息;  a first recording unit, configured to record attribute information of a preset file in the local area network, where the attribute information of the preset file includes identification information, time information, source information, and flow target information;
第一确定单元, 用于根据所述第一记录单元记录的所述属性信息确定所述预置 文件是否为灰文件; 其中, 所述灰文件既不存在于所述预置文件的白名单内, 也不 存在所述预置文件的黑名单内;  a first determining unit, configured to determine, according to the attribute information recorded by the first recording unit, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file , there is also no blacklist of the preset file;
第二确定单元, 用于当所述第一确定单元确定所述预置文件为所述灰文件时, 确定所述灰文件是否触发预置异常行为规则;  a second determining unit, configured to: when the first determining unit determines that the preset file is the gray file, determine whether the gray file triggers a preset abnormal behavior rule;
第一发送单元, 用于当所述第二确定单元确定所述灰文件触发所述预置异常行 为规则时, 向服务器发送所述灰文件触发预置异常行为规则的异常警示信息; 其中, 所述异常警示信息包含终端设备的标识信息。  a first sending unit, configured to: when the second determining unit determines that the gray file triggers the preset abnormal behavior rule, send, to the server, abnormal warning information that triggers the preset abnormal behavior rule by the gray file; The abnormal warning information includes identification information of the terminal device.
依据本发明的又一个方面, 本发明提供了一种服务器, 包括:  According to still another aspect of the present invention, the present invention provides a server, including:
第一接收单元, 用于接收局域网中各终端设备上报的灰文件的属性信息; 其中, 所述灰文件的属性信息包括标识信息、 来源信息及流转目标信息、 时间信息;  The first receiving unit is configured to receive the attribute information of the gray file reported by each terminal device in the local area network, where the attribute information of the gray file includes the identification information, the source information, the flow destination information, and the time information;
第一获取单元, 用于当接收到所述局域网中终端设备发送的异常警示信息时, 根据所述异常警示信息中包含的终端设备的标识信息, 获取所述终端设备在预置时 间段内的灰文件; 所述异常警示信息根据所述灰文件触发预置异常行为规则产生; 第二获取单元, 用于根据所述第一接收单元接收的所述灰文件的标识信息分别 获取所述局域网中各终端设备上报的所述灰文件的属性信息;  a first acquiring unit, configured to: when receiving the abnormal warning information sent by the terminal device in the local area network, obtain, according to the identifier information of the terminal device included in the abnormal warning information, the terminal device in a preset time period a gray file; the abnormal warning information is generated according to the gray file triggering preset abnormal behavior rule; the second obtaining unit is configured to acquire, according to the gray file identifier information received by the first receiving unit, the local area network Attribute information of the gray file reported by each terminal device;
第三获取单元, 用于根据所述第二获取单元获取的所述局域网中各终端设备上 报的所述灰文件的属性信息获取所述灰文件的流转路径; 其中, 所述流转路径是将 所述灰文件的来源信息及流转目标信息按照时间先后顺序串联形成的。  a third obtaining unit, configured to acquire a flow path of the gray file according to the attribute information of the gray file reported by each terminal device in the local area network acquired by the second acquiring unit, where the flow path is a The source information of the gray file and the flow target information are formed in tandem in chronological order.
依据本发明的又一个方面, 本发明提供了一种 APT攻击的检测系统, 所述系统 包括: 如上所述的终端设备及如上所述的服务器。  According to still another aspect of the present invention, the present invention provides a detection system for an APT attack, the system comprising: the terminal device as described above and the server as described above.
依据本发明的又一个方面, 提供了一种计算机程序, 其包括计算机可读代码, 当上述计算机可读代码在计算设备上运行时, 导致计算设备执行上述的 APT 攻击的 检测方法。  According to still another aspect of the present invention, a computer program comprising computer readable code, when the computer readable code is run on a computing device, causes the computing device to perform the detection method of the APT attack described above.
依据本发明的又一个方面, 提供了一种计算机可读介质, 其中存储了上述的计 算机程序。 According to still another aspect of the present invention, a computer readable medium is provided, wherein the above meter is stored Computer program.
借由上述技术方案, 本发明提供的 APT攻击的检测方法、 终端设备、 服务器及 系统, 在检测 APT 攻击时, 终端设备记录局域网中预置文件的属性信息; 其中, 所 述预置文件的属性信息包括标识信息、 时间信息、 来源信息及流转目标信息; 根据 所述属性信息确定所述预置文件是否为灰文件; 其中, 所述灰文件既不存在于所述 预置文件的白名单内, 也不存在所述预置文件的黑名单内; 若确定所述预置文件为 所述灰文件, 则确定所述灰文件是否触发预置异常行为规则; 若确定所述灰文件触 发预置异常行为规则, 则向服务器发送所述灰文件触发预置异常行为规则的异常警 示信息; 其中, 所述异常警示信息包含终端设备的标识信息; 与现有技术中, 通过 人工检测 APT 攻击的方式相比, 本发明中当灰文件的异常行为触发预置异常行为规 则时, 终端向服务器发送异常警示信息, 服务器会根据局域网内各个终端上报的灰 文件的标识信息, 获取灰文件的流转路径, 根据流转路径获取灰文件进行该局域网 的时间信息、 来源信息等, 能够快速、 精确的对 APT攻击进行检测。  According to the foregoing technical solution, the APT attack detection method, the terminal device, the server, and the system provided by the present invention, when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein, the attribute of the preset file The information includes the identification information, the time information, the source information, and the flow destination information. The content of the preset file is determined to be a gray file according to the attribute information. The gray file is neither in the white list of the preset file. If the preset file is determined to be the gray file, determine whether the gray file triggers a preset abnormal behavior rule; if the gray file triggers the preset The abnormal behavior rule sends the abnormal warning information of the gray file to the preset abnormal behavior rule to the server; wherein the abnormal warning information includes the identification information of the terminal device; and the method for manually detecting the APT attack by using the prior art In contrast, when the abnormal behavior of the gray file triggers the preset abnormal behavior rule in the present invention, The terminal sends an abnormal warning message to the server, and the server obtains the flow path of the gray file according to the identification information of the gray file reported by each terminal in the local area network, and obtains the gray file according to the flow path to perform the time information and source information of the local area network, which can be fast, Accurate detection of APT attacks.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段, 而可依照说明书的内容予以实施, 并且为了让本发明的上述和其它目的、 特征和优 点能够更明显易懂, 以下特举本发明的具体实施方式。  The above description is only an overview of the technical solutions of the present invention, and the technical means of the present invention can be more clearly understood, and can be implemented in accordance with the contents of the specification, and the above and other objects, features and advantages of the present invention can be more clearly understood. Specific embodiments of the invention are set forth below.
附图说明  DRAWINGS
通过阅读下文优选实施方式的详细描述, 各种其他的优点和益处对于本领域普 通技术人员将变得清楚明了。 附图仅用于示出优选实施方式的目的, 而并不认为是 对本发明的限制。 而且在整个附图中, 用相同的参考符号表示相同的部件。 在附图 中- 图 1示出了本发明实施例提供的一种 APT攻击的检测方法的流程图;  Various other advantages and benefits will become apparent to those skilled in the art in the <RTIgt; The drawings are only for the purpose of illustrating the preferred embodiments and are not intended to limit the invention. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the accompanying drawings, FIG. 1 is a flowchart of a method for detecting an APT attack according to an embodiment of the present invention;
图 2示出了本发明实施例提供的另一种 APT攻击的检测方法的流程图; 图 3示出了本发明实施例提供的一种终端设备的组成框图;  FIG. 2 is a flowchart of a method for detecting an APT attack according to an embodiment of the present invention; FIG. 3 is a block diagram showing a composition of a terminal device according to an embodiment of the present invention;
图 4示出了本发明实施例提供的另一种终端设备的组成框图;  FIG. 4 is a block diagram showing the composition of another terminal device according to an embodiment of the present invention;
图 5示出了本发明实施例提供的一种服务器的组成框图;  FIG. 5 is a block diagram showing the composition of a server according to an embodiment of the present invention;
图 6示出了本发明实施例提供的另一种服务器的组成框图;  FIG. 6 is a block diagram showing the composition of another server according to an embodiment of the present invention;
图 7示出了本发明实施例提供一种 APT攻击的检测系统的组成框图;  FIG. 7 is a block diagram showing the composition of an APT attack detection system according to an embodiment of the present invention;
图 8示意性地示出了用于执行根据本发明的 APT攻击的检测方法的计算设备的 框图; 以及  Figure 8 is a block diagram schematically showing a computing device for performing a detection method of an APT attack according to the present invention;
图 9示意性地示出了用于保持或者携带实现根据本发明的 APT攻击的检测方法 的程序代码的存储单元。 具体实施方式  Fig. 9 schematically shows a storage unit for holding or carrying program code for implementing the detection method of the APT attack according to the present invention. detailed description
下面结合附图和具体的实施方式对本发明作进一步的描述。  The invention is further described below in conjunction with the drawings and specific embodiments.
下面将参照附图更详细地描述本公开的示例性实施例。 虽然附图中显示了本公 开的示例性实施例, 然而应当理解, 可以以各种形式实现本公开而不应被这里阐述 的实施例所限制。 相反, 提供这些实施例是为了能够更透彻地理解本公开, 并且能 够将本公开的范围完整的传达给本领域的技术人员。 Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided to provide a more thorough understanding of the present disclosure and The scope of the present disclosure is fully conveyed to those skilled in the art.
本发明实施例提供一种 APT攻击的检测方法, 该方法应用于终端设备侧, 如图 1所示, 该方法包括:  An embodiment of the present invention provides a method for detecting an APT attack, and the method is applied to a terminal device side. As shown in FIG. 1, the method includes:
101、 终端设备记录局域网中预置文件的属性信息。  101. The terminal device records attribute information of a preset file in the local area network.
在局域网环境中, 包含多个终端设备, 每个终端设备均会记录预置文件的属性 信息, 其中, 所述预置文件的属性信息包括标识信息、 时间信息、 来源信息及流转 目标信息; 需要说明的是, 所述预置文件是指从网络下载或者从 U 盘、 硬盘、 智能 手机有线或无线传输所获取的文件; 网络下载包含但不局限于以下内容, 例如: 网 站下载、 邮件下载、 网络共享等等。 本发明实施例对预置文件的来源及预置文件的 具体类型不进行限定。  In a local area network environment, a plurality of terminal devices are included, and each terminal device records attribute information of the preset file, where the attribute information of the preset file includes identification information, time information, source information, and flow destination information; It is noted that the preset file refers to a file downloaded from a network or obtained by wired or wireless transmission from a USB flash drive, a hard disk, or a smart phone; the network download includes but is not limited to the following contents, for example: website download, mail download, Network sharing and more. The embodiment of the present invention does not limit the source of the preset file and the specific type of the preset file.
为了确保终端设备记录预置文件属性信息的准确性, 在终端设备第一次接收到 预置文件时, 对预置文件的属性信息进行记录, 在终端设备记录预置文件的属性信 息时, 仅记录一次; 在记录预置文件的属性信息之前, 不能确定该预置文件的安全 等级, 因此, 需要将终端设备中所有的预置文件的属性信息都进行记录; 其中, 所 述预置文件的安全等级包括: 白名单文件、 黑名单文件、 灰文件, 所述灰文件为既 不属于白名单, 也不属于黑名单的文件; 本发明实施例对终端设备记录局域网中预 置文件的属性信息的具体时机以及预置文件的安全等级不进行限定。  To ensure that the terminal device records the accuracy of the preset file attribute information, when the terminal device receives the preset file for the first time, the attribute information of the preset file is recorded, and when the terminal device records the attribute information of the preset file, only Recording once; before the attribute information of the preset file is recorded, the security level of the preset file cannot be determined, therefore, the attribute information of all the preset files in the terminal device needs to be recorded; wherein, the preset file The security level includes: a whitelist file, a blacklist file, and a gray file. The gray file is a file that is neither a whitelist nor a blacklist. The embodiment of the present invention records the attribute information of the preset file in the local area network. The specific timing and security level of the preset file are not limited.
为了更清晰的对记录预置文件的属性信息,以下将以示例的形式进行详细说明。 示例性的, 当终端设备 A中含有预置文件 I, 该预置文件 I是于 2015年 3月 4 日, 通过用户使用 U盘传递给终端设备 A的, 终端设备 A于 2015年 5月 28 日, 将预置 文件 I又通过邮件的方法发送给终端设备 B及终端设备 C。 针对同一个预置文件 I, 终端设备 A记录预置文件的属性信息包括: 预置文件标识信息为 WJ-001 , 时间信息 为 2015年 3月 4 日, 来源信息为 U盘, 流转目标信息为终端设备 B及终端设备 C; 终端设备 B记录预置文件的属性信息包括: 预置文件标识信息为 WJ-001 , 时间信息 为 2015年 5月 28日, 来源信息为终端设备 A, 流转目标信息为无; 终端设备 C记录 预置文件的属性信息包括: 预置文件标识信息为 WJ-001 , 时间信息为 2015年 5月 28 日, 来源信息为终端设备 A, 流转目标信息为无。 以上仅为示例性的举例, 本发 明实施例对终端设备记录预置文件的属性信息的具体内容不进行限定。  In order to more clearly record the attribute information of the preset file, the following will be described in detail by way of examples. Exemplarily, when the terminal device A contains the preset file I, the preset file I is transmitted to the terminal device A by the user using the U disk on March 4, 2015, and the terminal device A is on May 28, 2015. On the day, the preset file I is sent to the terminal device B and the terminal device C by means of mail. For the same preset file I, the terminal device A records the attribute information of the preset file, including: the preset file identification information is WJ-001, the time information is March 4, 2015, the source information is U disk, and the flow destination information is The terminal device B and the terminal device C; the terminal device B records the attribute information of the preset file, including: the preset file identification information is WJ-001, the time information is May 28, 2015, the source information is the terminal device A, and the flow destination information If the terminal device C records the attribute information of the preset file, the preset file identification information is WJ-001, the time information is May 28, 2015, the source information is terminal device A, and the flow destination information is none. The above is only an exemplary example, and the specific content of the attribute information of the preset file recorded by the terminal device is not limited in the embodiment of the present invention.
102、 终端设备根据所述属性信息确定所述预置文件是否为灰文件。  102. The terminal device determines, according to the attribute information, whether the preset file is a gray file.
本步骤中基于步骤 101中记录预置文件的属性信息,确定预置文件的安全等级, 若预置文件为白名单文件, 则说明预置文件是安全的, 该预置文件内不可能存在 APT 攻击; 若预置文件为黑名单文件, 则说明该预置文件是危险文件, 将该预置文件进 行过滤或者删除; 若预置文件为灰文件, 则说明该预置文件的危险系数为未知。 因 此, 需要对灰文件进行跟踪。  In this step, the security level of the preset file is determined based on the attribute information of the preset file recorded in step 101. If the preset file is a whitelist file, the preset file is safe, and the APT cannot exist in the preset file. If the preset file is a blacklist file, the preset file is a dangerous file, and the preset file is filtered or deleted. If the preset file is a gray file, the risk factor of the preset file is unknown. . Therefore, the gray file needs to be tracked.
103、若确定所述预置文件为所述灰文件, 则终端设备确定所述灰文件是否触发 预置异常行为规则。  103. If it is determined that the preset file is the gray file, the terminal device determines whether the gray file triggers a preset abnormal behavior rule.
在确定预置文件为灰文件之后, 若该灰文件在局域网内的终端设备之间流转过 程中, 没有任何的异常行为, 则说明该灰文件中不存在 APT 攻击; 若该文件在局域 网内的终端设备之间流转过程中, 出现异常行为, 则说明该灰文件中可能存在 APT 攻击。 由于 APT攻击具备高度的隐蔽性, 且其发起 APT攻击的时间具有不确定性, 因此, 在本发明实施例中, 终端设备通过对灰文件进行监控, 确定灰文件是否触发 预置异常行为规则。 After determining that the preset file is a gray file, if there is no abnormal behavior during the flow of the gray file between the terminal devices in the local area network, the APT attack does not exist in the gray file; if the file is in the local area If an abnormal behavior occurs during the process of transferring between terminal devices in the network, the APT attack may exist in the gray file. The APT attack has a high degree of concealment, and the time for initiating an APT attack is uncertain. Therefore, in the embodiment of the present invention, the terminal device monitors the gray file to determine whether the gray file triggers the preset abnormal behavior rule.
所述预置异常行为规则为是经验值, 在设置异常行为规则时, 所述异常行为规 则可以包含但不局限于以下的内容, 例如: 灰文件的访问权限、 灰文件的执行时间 等等。  The preset abnormal behavior rule is an empirical value. When the abnormal behavior rule is set, the abnormal behavior rule may include, but is not limited to, the following content, for example: access rights of the gray file, execution time of the gray file, and the like.
在具体实施时, 不同的终端设备用户均会设置有不同的访问权限, 如财务部门 会有其相应的访问权限, 研发部门会有其相应的访问权限; 若研发部分的终端设备 中的灰文件去访问财务部门, 则该灰文件触发了预置异常行为规则。 或者, 终端设 备会有固定的工作时间, 假设, 终端设备的工作时间为 09 : 00-17 : 30, 若终端设备中 的灰文件在 22 : 00 自动执行, 则该灰文件触发了预置异常行为规则。 本发明实施例 对预置异常行为规则的具体设置内容不进行具体限定。  In the specific implementation, different terminal users will have different access rights. For example, the finance department will have corresponding access rights, and the R&D department will have corresponding access rights. If the gray file in the terminal device of the R&D part is To access the finance department, the gray file triggers the preset abnormal behavior rule. Or, the terminal device has a fixed working time. Assume that the working time of the terminal device is 09: 00-17: 30. If the gray file in the terminal device is automatically executed at 22: 00, the gray file triggers the preset abnormality. Rules of conduct. The specific setting content of the preset abnormal behavior rule is not specifically limited in the embodiment of the present invention.
104、若确定所述灰文件触发预置异常行为规则, 则终端设备向服务器发送所述 灰文件触发预置异常行为规则的异常警示信息。  104. If it is determined that the gray file triggers the preset abnormal behavior rule, the terminal device sends the abnormal warning information of the gray file triggering preset abnormal behavior rule to the server.
当确定灰文件触发预置异常行为规则时, 终端设备确定该灰文件中可能存在 APT攻击, 因此, 终端设备针对该异常行为向服务器发送异常警示信息; 其中, 所述 异常警示信息包含终端设备的标识信息。  When it is determined that the gray file triggers the preset abnormal behavior rule, the terminal device determines that the APT attack may be generated in the gray file, and therefore, the terminal device sends abnormal warning information to the server for the abnormal behavior, where the abnormal warning information includes the terminal device. Identification information.
本发明实施例提供的 APT攻击的检测方法, 在检测 APT攻击时, 终端设备记录 局域网中预置文件的属性信息; 其中, 所述预置文件的属性信息包括标识信息、 时 间信息、 来源信息及流转目标信息; 根据所述属性信息确定所述预置文件是否为灰 文件; 其中, 所述灰文件既不存在于所述预置文件的白名单内, 也不存在所述预置 文件的黑名单内; 若确定所述预置文件为所述灰文件, 则确定所述灰文件是否触发 预置异常行为规则; 若确定所述灰文件触发预置异常行为规则, 则向服务器发送所 述灰文件触发预置异常行为规则的异常警示信息; 其中, 所述异常警示信息包含终 端设备的标识信息; 与现有技术中, 通过人工检测 APT 攻击的方式相比, 本发明实 施例中当灰文件的异常行为触发预置异常行为规则时, 终端向服务器发送异常警示 信息, 服务器会根据局域网内各个终端上报的灰文件的标识信息, 获取灰文件的流 转路径, 根据流转路径获取灰文件进行该局域网的时间信息、 来源信息等, 能够快 速、 精确的对 APT攻击进行检测。  The APT attack detection method provided by the embodiment of the present invention, when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein the attribute information of the preset file includes the identification information, the time information, the source information, and Flowing the target information; determining, according to the attribute information, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file, nor is the black of the preset file If it is determined that the preset file is the gray file, determining whether the gray file triggers a preset abnormal behavior rule; if it is determined that the gray file triggers a preset abnormal behavior rule, sending the gray to the server The file triggers the abnormal warning information of the preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device; compared with the manner of manually detecting the APT attack in the prior art, the gray file is used in the embodiment of the present invention. When the abnormal behavior triggers the preset abnormal behavior rule, the terminal sends an abnormal warning message to the server. The server obtains the flow path of the gray file according to the identification information of the gray file reported by each terminal in the local area network, and obtains the gray file according to the flow path to perform time information and source information of the local area network, so that the APT attack can be detected quickly and accurately.
进一步的, 作为对图 1所示方法的细化和扩展, 在步骤 101终端设备记录局域 网中预置文件的属性信息, 可以采用但不局限于以下的方式实现:  Further, as a refinement and extension of the method shown in FIG. 1, the terminal device records the attribute information of the preset file in the local area network in step 101, which can be implemented by using, but not limited to, the following manners:
方式一: 基于预置驱动程序记录局域网中预置文件的属性信息。  Method 1: Record the attribute information of the preset file in the local area network based on the preset driver.
当终端设备作为流转目标信息, 且接收预置文件时, 预置驱动程序会自动识别 该预置文件, 并记录该预置文件的属性信息; 在具体操作时, 该预置驱动程序可以 包含但不限于是 U 盘监控驱动, 本发明实施例对预置驱动程序的具体类型不进行限 定。  When the terminal device is used as the flow destination information and receives the preset file, the preset driver automatically recognizes the preset file and records the attribute information of the preset file; in the specific operation, the preset driver may include The embodiment of the present invention does not limit the specific type of the preset driver.
方式二: 基于预置网关设备记录局域网中预置文件的属性信息。 当终端设备利用互联网进行预置文件下载时, 预置网关设备会自动识别该预置 文件, 并记录该预祝文件的属性信息。 Manner 2: The attribute information of the preset file in the local area network is recorded based on the preset gateway device. When the terminal device uses the Internet to download the preset file, the preset gateway device automatically recognizes the preset file, and records the attribute information of the preview file.
需要说明的是, 在通过方式一记录局域网中预置文件的属性信息时, 若该预置 文件为灰文件, 且灰文件触发预置异常行为规则, 则由终端设备向服务器上报灰文 件触发预置异常行为规则的异常警示信息; 在通过方式二记录局域网中预置文件的 属性信息时, 若该预置文件为灰文件, 且灰文件触发预置异常行为规则, 则由预置 网关设备向服务器上报灰文件触发预置异常行为规则的异常警示信息。  It should be noted that, when the attribute information of the preset file in the local area network is recorded by the mode 1, if the preset file is a gray file, and the gray file triggers the preset abnormal behavior rule, the terminal device reports the gray file trigger to the server. If the preset file is a gray file and the gray file triggers the preset abnormal behavior rule, the preset gateway device The server reports the gray file to trigger the abnormal warning information of the preset abnormal behavior rule.
进一步的, 为了让服务器能够在终端设备上报异常警示信息时, 及时对终端设 备内的灰文件进行追溯, 因此, 在终端设备向服务器发送所述灰文件触发预置异常 行为规则的异常警示信息之前, 终端设备根据灰文件的标识信息, 记录灰文件的时 间信息、 来源信息及流转目标信息, 终端设备将记录的灰文件的时间信息、 来源信 息及流转目标信息发送至服务器。 需要说明的是, 同一终端设备中可能存在多个灰 文件, 终端设备需要根据各个灰文件的不同标识信息, 分别记录灰文件的时间信息、 来源信息及流转目标信息。 局域网内的各个终端设备均向服务器上报灰文件的时间 信息、 来源信息及流转目标信息, 确保服务器在后续追溯灰文件的流转路径时, 其 流转路径的完整性和准确性。  Further, in order to enable the server to report the abnormal warning information on the terminal device, the gray file in the terminal device is traced in time. Therefore, before the terminal device sends the gray file to trigger the abnormal warning information of the preset abnormal behavior rule. The terminal device records the time information, the source information, and the flow destination information of the gray file according to the identification information of the gray file, and the terminal device sends the time information, the source information, and the flow destination information of the recorded gray file to the server. It should be noted that a plurality of gray files may exist in the same terminal device, and the terminal device needs to record the time information, the source information, and the flow destination information of the gray file according to different identification information of each gray file. Each terminal device in the local area network reports the time information, source information, and flow destination information of the gray file to the server to ensure the integrity and accuracy of the flow path of the server when it traces the flow path of the gray file.
进一步的, 在终端设备根据属性信息确定预置文件是否为灰文件时, 其具体过 程如下: 终端设备记录预置文件的属性信息之后, 将该属性信息发送至云查杀服务 器, 云查杀服务器中记录有预置文件的黑名单和白名单, 云查杀服务器在接收到预 置文件的属性信息之后, 获取属性信息中的标识信息, 基于标识信息遍历黑名单以 及白名单, 若该标识信息存在于黑名单中, 则直接将该标识信息对应的预置文件进 行过滤; 若该标识信息存在于白名单中, 确定该标识信息对应的预置文件为安全文 件; 若该标识信息既不存在于白名单中, 也不存在于黑名单中, 则确定该标识信息 对应的预置文件为灰文件, 此时, 云查杀服务器会向终端设备返回灰文件的标识信 息, 以便终端设备对该灰文件的属性信息进行记录, 并上报至服务器。  Further, when the terminal device determines whether the preset file is a gray file according to the attribute information, the specific process is as follows: After the terminal device records the attribute information of the preset file, the attribute information is sent to the cloud killing server, and the cloud killing server The blacklist and the whitelist of the preset file are recorded. After receiving the attribute information of the preset file, the cloud search server obtains the identifier information in the attribute information, and traverses the blacklist and the whitelist based on the identifier information, if the identifier information If the blacklist is in the blacklist, the preset file corresponding to the identifier information is directly filtered. If the identifier information exists in the whitelist, the preset file corresponding to the identifier information is determined to be a security file; if the identifier information does not exist, If the whitelist is not in the blacklist, the preset file corresponding to the identifier information is determined to be a gray file. At this time, the cloud killing server returns the identifier information of the gray file to the terminal device, so that the terminal device can The attribute information of the gray file is recorded and reported to the server.
进一步的, 在终端设备确定所述灰文件是否触发预置异常行为规则之前, 生成 预置异常行为规则, 所述预置异常行文规则用于确定所述灰文件是否存在异常行为。  Further, before the terminal device determines whether the gray file triggers the preset abnormal behavior rule, the preset abnormal behavior rule is generated, and the preset abnormal text rule is used to determine whether the gray file has an abnormal behavior.
进一步的, 在生成预置异常行为规则之后, 终端设备确定所述灰文件是否触发 预置异常行为规则具体包括: 获取预置异常行为规则, 确定灰文件是否存在异常行 为, 判断异常行为是否触发预置异常行为规则。 示例性的, 假设, 预置异常行为规 则中包含: 以一天为标准, 灰文件的异常执行时间超过一次时, 确定该灰文件触发 预置异常行为规则, 异常执行时间为 22 : 00-次日 05 : 00; 若灰文件在 23 : 00时执行 一次, 则终端设备确定灰文件的执行为异常行为, 并查看在一天时间内, 该灰文件 异常执行的次数是否超过一次; 若灰文件的异常执行为一次, 则不会向服务器上报 异常警示信息; 若灰文件的异常执行为两次, 则向服务器上报异常警示信息。  Further, after the preset abnormal behavior rule is generated, determining, by the terminal device, whether the gray file triggers the preset abnormal behavior rule specifically includes: acquiring a preset abnormal behavior rule, determining whether the gray file has an abnormal behavior, and determining whether the abnormal behavior triggers the pre-action Set abnormal behavior rules. Exemplarily, it is assumed that the preset abnormal behavior rule includes: When the abnormal execution time of the gray file exceeds one time, the gray file triggers the preset abnormal behavior rule, and the abnormal execution time is 22: 00-day 05 : 00; If the gray file is executed once at 23: 00, the terminal device determines that the execution of the gray file is an abnormal behavior, and checks whether the gray file is abnormally executed more than once within one day; if the gray file is abnormal If the execution is one time, the abnormal warning information will not be reported to the server. If the abnormal execution of the gray file is performed twice, the abnormal warning information is reported to the server.
本发明实施例还提供另一种攻击的检测方法, 该方法应用于服务器侧, 如图 2 所示, 该方法包括:  Another embodiment of the present invention provides a method for detecting an attack. The method is applied to the server side. As shown in FIG. 2, the method includes:
201、 服务器接收局域网中各终端设备上报的灰文件的属性信息。 其中, 所述灰文件的属性信息包括标识信息、 来源信息及流转目标信息、 时间 信息; 有关灰文件的详细说明, 请参考步骤 101 中的详细描述, 本发明实施例在此 不再进行赘述。 201. The server receives the attribute information of the gray file reported by each terminal device in the local area network. The attribute information of the gray file includes the identifier information, the source information, the flow destination information, and the time information. For a detailed description of the gray file, refer to the detailed description in step 101, which is not described herein again.
202、服务器当接收到所述局域网中终端设备发送的异常警示信息时, 根据所述 异常警示信息中包含的终端设备的标识信息, 获取所述终端设备在预置时间段内的 灰文件。  202. The server obtains the gray file in the preset time period according to the identifier information of the terminal device included in the abnormal warning information when receiving the abnormal warning information sent by the terminal device in the local area network.
当终端设备上报异常警示信息时, 说明该终端设备中的灰文件中可能存在 APT 攻击, 所述异常警示信息根据所述灰文件触发预置异常行为规则产生; 由于终端设 备中可能包含多个灰文件, 在不能确定该异常警示信息是哪个灰文件触发的前提下, 服务器接收到终端设备发送的异常警示信息时, 根据异常警示信息中包含的终端设 备的标识信息, 获取终端设备在预置时间段内的所有灰文件, 并获取所有灰文件对 应的标识信息。  When the terminal device reports an abnormality warning, it indicates that the APT attack may be generated in the gray file in the terminal device, and the abnormal warning information is generated according to the preset abnormal behavior rule triggered by the gray file; When the server receives the abnormal warning information sent by the terminal device, the server obtains the terminal device at the preset time according to the identification information of the terminal device included in the abnormal warning information. All gray files in the segment, and obtain identification information corresponding to all gray files.
所述预置时间段为局域网运维人员人工设置的, 在设置预置时间段时, 可以设 置预置时间段为一周; 或者, 也可以设置预置时间段为一个月, 具体的本发明实施 例对预置时间段的设置不进行限定。  The preset time period is manually set by the LAN operation and maintenance personnel. When the preset time period is set, the preset time period may be set to one week; or, the preset time period may be set to one month, and the specific implementation of the present invention is implemented. For example, the setting of the preset time period is not limited.
203、服务器根据所述灰文件的标识信息分别获取所述局域网中各终端设备上报 的所述灰文件的属性信息。  203. The server obtains, according to the identifier information of the gray file, the attribute information of the gray file reported by each terminal device in the local area network.
由于灰文件在局域网内的流转是随机性的, 且终端设备在向服务器上报灰文件 的时间信息、 来源信息及流转目标信息是各个终端设备单独发送的, 服务器在接收 到终端设备发送的时间信息、 来源信息及流转目标信息时, 仅将接收到的信息进行 保存, 而不会根据灰文件的标识信息将灰文件在局域网内的流转路径进行串联。 只 有当终端设备发送异常警示信息时, 服务器才会将灰文件在局域网内的时间信息、 来源信息及流转目标信息时进行串联。  Since the flow of the gray file in the local area network is random, and the time information, the source information, and the flow destination information of the terminal device reporting the gray file to the server are separately sent by the terminal devices, the server receives the time information sent by the terminal device. When the source information and the flow destination information are used, only the received information is saved, and the flow path of the gray file in the local area network is not concatenated according to the identification information of the gray file. Only when the terminal device sends an abnormal warning message, the server will concatenate the time information, source information and flow destination information of the gray file in the local area network.
204、服务器根据所述局域网中各终端设备上报的所述灰文件的属性信息获取所 述灰文件的流转路径。  The server obtains a flow path of the gray file according to the attribute information of the gray file reported by each terminal device in the local area network.
在步骤 203获取所述局域网中各终端设备上报的所述灰文件的属性信息之后, 服务器按照时间的先后顺序根据灰文件的标识信息将灰文件的来源信息及流转目标 信息进行串联; 服务器获取灰文件的流转路径, 并将流转路径进行输出, 以便局域 网的运维人员查找 APT攻击的源头。  After obtaining the attribute information of the gray file reported by each terminal device in the local area network, the server sequentially connects the source information of the gray file and the flow destination information according to the identification information of the gray file according to the time sequence; The file's flow path, and the flow path is output, so that the LAN operation and maintenance personnel can find the source of the APT attack.
作为本发明实施例的一种实现方式, 在输出显示流转路径时, 以图表的形式进 行显示, 图表中包含灰文件在局域网内流转的时间信息; 或者, 以时间轴的方式将 灰文件的流转路径进行显示。 本发明实施例对输出显示流转路径的方式不进行限定。  As an implementation manner of the embodiment of the present invention, when displaying the flow path, the display is performed in the form of a graph, and the graph includes time information of the gray file flowing in the local area network; or, the flow of the gray file is performed in a time axis manner. The path is displayed. The embodiment of the present invention does not limit the manner in which the output flow path is displayed.
本发明实施例提供的 APT攻击的检测方法, 在检测 APT攻击时, 终端设备记录 局域网中预置文件的属性信息; 其中, 所述预置文件的属性信息包括标识信息、 时 间信息、 来源信息及流转目标信息; 根据所述属性信息确定所述预置文件是否为灰 文件; 其中, 所述灰文件既不存在于所述预置文件的白名单内, 也不存在所述预置 文件的黑名单内; 若确定所述预置文件为所述灰文件, 则确定所述灰文件是否触发 预置异常行为规则; 若确定所述灰文件触发预置异常行为规则, 则向服务器发送所 述灰文件触发预置异常行为规则的异常警示信息; 其中, 所述异常警示信息包含终 端设备的标识信息; 与现有技术中, 通过人工检测 APT 攻击的方式相比, 本发明实 施例中当灰文件的异常行为触发预置异常行为规则时, 终端向服务器发送异常警示 信息, 服务器会根据局域网内各个终端上报的灰文件的标识信息, 获取灰文件的流 转路径, 根据流转路径获取灰文件进行该局域网的时间信息、 来源信息等, 能够快 速、 精确的对 APT攻击进行检测。 The APT attack detection method provided by the embodiment of the present invention, when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein the attribute information of the preset file includes the identification information, the time information, the source information, and Flowing the target information; determining, according to the attribute information, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file, nor is the black of the preset file If it is determined that the preset file is the gray file, determining whether the gray file triggers a preset abnormal behavior rule; if it is determined that the gray file triggers a preset abnormal behavior rule, sending the The gray file triggers the abnormal warning information of the preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device; compared with the manner of manually detecting the APT attack in the prior art, in the embodiment of the present invention, When the abnormal behavior of the gray file triggers the preset abnormal behavior rule, the terminal sends an abnormal warning message to the server. The server obtains the flow path of the gray file according to the identification information of the gray file reported by each terminal in the local area network, and obtains the gray file according to the flow path. The time information and source information of the local area network can detect APT attacks quickly and accurately.
进一步的, 作为对图 2所示方法的细化和扩展, 在步骤 203根据所述灰文件的 标识信息分别获取所述局域网中各终端设备上报的所述灰文件的属性信息之后, 根 据灰文件的标识信息对灰文件的属性信息进行解析, 确定灰文件的时间信息、 来源 信息及流转目标信息, 根据时间信息的先后顺序将灰文件的来源信息及流转目标信 息进行串联。  Further, as a refinement and extension of the method shown in FIG. 2, after obtaining the attribute information of the gray file reported by each terminal device in the local area network according to the identification information of the gray file, the gray file is obtained according to the gray file. The identification information is used to parse the attribute information of the gray file, determine the time information, the source information, and the flow destination information of the gray file, and serialize the source information of the gray file and the flow destination information according to the order of the time information.
示例性的, 假设, 若灰文件的标识信息为 HWJ-008 , 根据该标识信息 HWJ-008 , 服务器查找各个终端设备上报的属性信息, 其中, 上报属性信息中包含 HWJ-008 的 终端设备有终端设备 1、 终端设备 8、 终端设备 45、 终端设备 12, 其中, 终端设备 1 中记录时间信息为 2015年 3月 9 日、 来源信息为终端设备 8、 流转目标信息 12 ; 终 端设备 8中记录时间信息为 2015年 2月 20 日、 来源信息为 XXX网站、 流转目标信 息 1 ; 终端设备 12中记录时间信息为 2015年 3月 15 日、 来源信息为终端设备 1、 流转目标信息为终端设备 45 ; 终端设备 45中记录时间信息为 2015年 4月 6 日、 来 源信息为终端设备 12、 流转目标信息为无。 服务器根据时间信息, 形成标识信息为 HWJ-008的灰文件的流转路径为:终端设备 8 ( 2015年 2月 20 日)→终端设备 1 ( 2015 年 3月 9日)→终端设备 12 ( 2015年 3月 15 日)→终端设备 45 ( 2015年 4月 6 日)。 以上仅为示例性的举例, 本发明实施例对标识信息、 灰文件在局域网内终端设备流 转的来源信息及流转目标信息等内容不进行限定。  Illustratively, if the identification information of the gray file is HWJ-008, the server searches for the attribute information reported by each terminal device according to the identification information HWJ-008, wherein the terminal device that includes the HWJ-008 in the attribute information has a terminal. The device 1, the terminal device 8, the terminal device 45, and the terminal device 12, wherein the recording time information in the terminal device 1 is March 9, 2015, the source information is the terminal device 8, and the flow destination information 12; the recording time in the terminal device 8 The information is February 20, 2015, the source information is XXX website, the flow destination information 1; the time information recorded in the terminal device 12 is March 15, 2015, the source information is the terminal device 1, and the flow destination information is the terminal device 45; The recording time information in the terminal device 45 is April 6, 2015, the source information is the terminal device 12, and the flow destination information is none. According to the time information, the server forms a flow path of the gray file whose identification information is HWJ-008: terminal device 8 (February 20, 2015) → terminal device 1 (March 9, 2015) → terminal device 12 (2015 March 15) → Terminal Equipment 45 (April 6, 2015). The above is only an exemplary example. The embodiment of the present invention does not limit the identification information, the source information of the gray file in the local area network, and the flow destination information.
进一步的, 在服务器接收局域网中各终端设备上报的灰文件的属性信息之前, 接收终端设备发送的预置文件, 同时, 接收云查杀服务器发送的数据库表格, 该数 据库表格为云查杀数据库根据预置文件的白名单及黑名单生成, 服务器根据数据库 表格确定接收到的预置文件是否为灰文件, 当确定预置文件为灰文件之后, 接收终 端设备上报的灰文件的属性信息。 其中, 服务器确定预置文件为灰文件的目的在于, 仅接收灰文件的属性信息, 而不接收云查杀服务器确定的白名单或者黑名单中的预 置文件对应的属性信息, 能够节省部分服务器的处理资源; 同时, 白名单中的预置 文件不会存在 APT攻击, 因此, 无需对该类预置文件进行跟踪。  Further, before receiving the attribute information of the gray file reported by each terminal device in the local area network, the server receives the preset file sent by the terminal device, and receives a database table sent by the cloud killing server, where the database table is based on the cloud killing database. The whitelist and the blacklist of the preset file are generated. The server determines whether the received preset file is a gray file according to the database table. After determining that the preset file is a gray file, the attribute information of the gray file reported by the terminal device is received. The server determines that the preset file is a gray file, and only receives the attribute information of the gray file, and does not receive the attribute information corresponding to the white list determined by the cloud killing server or the preset file in the blacklist, which can save part of the server. Processing resources; At the same time, there is no APT attack on the preset files in the whitelist, so there is no need to track the preset files.
作为本发明实施例的一种实现方式, 云查杀服务器实时对终端设备记录的预置 文件进行查杀, 确定该预置文件的安全性, 即确定该预置文件是否是白名单文件、 黑名单文件或者灰文件; 确定出预置文件的类型之后, 存储于数据库表格中, 并按 照预置周期将数据库表格发送至服务器; 或者, 在确定预置文件的类型之后, 实时 将数据库表格发送至服务器, 本发明实施例对云查杀向服务器发送数据库表格的时 机不进行限定。  As an implementation manner of the embodiment of the present invention, the cloud killing server checks and kills the preset file recorded by the terminal device in real time, determines the security of the preset file, that is, determines whether the preset file is a whitelist file, and black. a list file or a gray file; after determining the type of the preset file, storing it in a database table, and sending the database table to the server according to a preset period; or, after determining the type of the preset file, sending the database table to the real-time table to The server, the embodiment of the present invention does not limit the timing of sending a database table to the server.
进一步的, 作为对上述图 1所示方法的实现, 本发明另一实施例还提供了一种 终端设备。 该装置实施例与前述方法实施例对应, 为便于阅读, 本装置实施例不再 对前述方法实施例中的细节内容进行逐一赘述, 但应当明确, 本实施例中的装置能 够对应实现前述方法实施例中的全部内容。 Further, as an implementation of the method shown in FIG. 1 above, another embodiment of the present invention further provides a Terminal Equipment. The device embodiment corresponds to the foregoing method embodiment. For ease of reading, the device embodiment does not describe the details in the foregoing method embodiments one by one, but it should be clear that the device in this embodiment can implement the foregoing method. All the contents of the example.
本发明实施例提供的一种终端设备, 如图 3所示, 包括:  A terminal device provided by the embodiment of the present invention, as shown in FIG. 3, includes:
第一记录单元 31, 用于记录局域网中预置文件的属性信息; 其中, 所述预置文 件的属性信息包括标识信息、 时间信息、 来源信息及流转目标信息;  The first recording unit 31 is configured to record attribute information of the preset file in the local area network, where the attribute information of the preset file includes identification information, time information, source information, and flow target information;
第一确定单元 32, 用于根据所述第一记录单元 31记录的所述属性信息确定所 述预置文件是否为灰文件; 其中, 所述灰文件既不存在于所述预置文件的白名单内, 也不存在所述预置文件的黑名单内;  a first determining unit 32, configured to determine, according to the attribute information recorded by the first recording unit 31, whether the preset file is a gray file; wherein the gray file is neither present in the white of the preset file There is also no blacklist of the preset files in the list;
第二确定单元 33, 用于当所述第一确定单元 32确定所述预置文件为所述灰文 件时, 确定所述灰文件是否触发预置异常行为规则;  a second determining unit 33, configured to: when the first determining unit 32 determines that the preset file is the gray file, determine whether the gray file triggers a preset abnormal behavior rule;
第一发送单元 34, 用于当所述第二确定单元 33确定所述灰文件触发所述预置 异常行为规则时, 向服务器发送所述灰文件触发预置异常行为规则的异常警示信息; 其中, 所述异常警示信息包含终端设备的标识信息。  The first sending unit 34 is configured to: when the second determining unit 33 determines that the gray file triggers the preset abnormal behavior rule, send the abnormal warning information of the gray file triggering preset abnormal behavior rule to the server; The abnormal warning information includes identification information of the terminal device.
进一步的, 如图 4所示, 所述第一记录单元 31包括:  Further, as shown in FIG. 4, the first recording unit 31 includes:
第一记录模块 31 1, 用于基于预置驱动程序记录局域网中预置文件的属性信息; 第二记录模块 312, 用于基于预置网关设备记录局域网中预置文件的属性信息。 进一步的, 如图 4所示, 所述终端设备还包括- 第二记录单元 35, 用于在所述第一发送单元 34 向服务器发送所述灰文件触发 预置异常行为规则的异常警示信息之前, 根据所述灰文件的标识信息, 记录所述灰 文件的时间信息、 来源信息及流转目标信息;  The first recording module 31 1 is configured to record attribute information of the preset file in the local area network based on the preset driver; and the second recording module 312 is configured to record attribute information of the preset file in the local area network based on the preset gateway device. Further, as shown in FIG. 4, the terminal device further includes: a second recording unit 35, configured to: before the first sending unit 34 sends the gray file triggering abnormal warning information of the preset abnormal behavior rule to the server And recording, according to the identification information of the gray file, time information, source information, and flow destination information of the gray file;
第二发送单元 36, 用于将所述第二记录单元 35记录的所述时间信息、 来源信 息及所述流转目标信息发送至所述服务器。  The second sending unit 36 is configured to send the time information, the source information, and the flow target information recorded by the second recording unit 35 to the server.
进一步的, 如图 4所示, 所述第一确定单元 32包括:  Further, as shown in FIG. 4, the first determining unit 32 includes:
发送模块 321, 用于将所述属性信息发送至云查杀服务器, 以便所述云查杀服 务器根据所述属性信息判断所述预置文件是否为所述灰文件, 当所述云查杀服务器 返回所述灰文件的标识信息时, 确定所述预置文件为灰文件;  The sending module 321 is configured to send the attribute information to the cloud killing server, so that the cloud checking server determines, according to the attribute information, whether the preset file is the gray file, and when the cloud kills the server When the identifier information of the gray file is returned, determining that the preset file is a gray file;
确定模块 322, 用于在所述发送模块 321将所述属性信息发送至所述云查杀服 务器之后, 根据所述云查杀服务器是否发送所述标识信息, 确定所述预置文件是否 为灰文件。  a determining module 322, configured to determine, after the sending module 321 sends the attribute information to the cloud killing server, whether the preset file is grayed out according to whether the cloud checking server sends the identifier information file.
进一步的, 如图 4所示, 所述终端设备还包括- 生成单元 37, 用于在所述第二确定单元 33确定所述灰文件是否触发预置异常 行为规则之前, 生成预置异常行为规则。  Further, as shown in FIG. 4, the terminal device further includes: a generating unit 37, configured to generate a preset abnormal behavior rule before the second determining unit 33 determines whether the gray file triggers a preset abnormal behavior rule .
进一步的, 如图 4所示, 所述第二确定单元 33包括:  Further, as shown in FIG. 4, the second determining unit 33 includes:
获取模块 331, 用于获取所述预置异常行为规则;  The obtaining module 331, is configured to obtain the preset abnormal behavior rule;
确定模块 332, 用于确定所述灰文件是否存在异常行为;  a determining module 332, configured to determine whether the gray file has an abnormal behavior;
判断模块 333, 用于判断所述确定模块 332确定的所述异常行为是否触发所述 获取模块 331获取的所述预置异常行为规则。 进一步的, 作为对上述图 2所示方法的实现, 本发明另一实施例还提供了一种 服务器。 该装置实施例与前述方法实施例对应, 为便于阅读, 本装置实施例不再对 前述方法实施例中的细节内容进行逐一赘述, 但应当明确, 本实施例中的装置能够 对应实现前述方法实施例中的全部内容。 The determining module 333 is configured to determine whether the abnormal behavior determined by the determining module 332 triggers the preset abnormal behavior rule acquired by the acquiring module 331. Further, as an implementation of the method shown in FIG. 2, another embodiment of the present invention further provides a server. The device embodiment corresponds to the foregoing method embodiment. For ease of reading, the device embodiment does not describe the details in the foregoing method embodiments one by one, but it should be clear that the device in this embodiment can implement the foregoing method. All the contents of the example.
本发明实施例提供一种服务器, 如图 5所示, 包括:  An embodiment of the present invention provides a server, as shown in FIG. 5, including:
第一接收单元 51, 用于接收局域网中各终端设备上报的灰文件的属性信息; 其 中, 所述灰文件的属性信息包括标识信息、 来源信息及流转目标信息、 时间信息; 第一获取单元 52, 用于当接收到所述局域网中终端设备发送的异常警示信息 时, 根据所述异常警示信息中包含的终端设备的标识信息, 获取所述终端设备在预 置时间段内的灰文件; 所述异常警示信息根据所述灰文件触发预置异常行为规则产 生;  The first receiving unit 51 is configured to receive the attribute information of the gray file reported by each terminal device in the local area network, where the attribute information of the gray file includes the identification information, the source information, the flow destination information, and the time information. The first obtaining unit 52 And acquiring, when receiving the abnormal warning information sent by the terminal device in the local area network, the gray file in the preset time period according to the identification information of the terminal device included in the abnormal warning information; The abnormal warning information is generated according to the gray file triggering preset abnormal behavior rule;
第二获取单元 53, 用于根据所述第一接收单元 51接收的所述灰文件的标识信 息分别获取所述局域网中各终端设备上报的所述灰文件的属性信息;  The second obtaining unit 53 is configured to acquire the attribute information of the gray file reported by each terminal device in the local area network according to the identifier information of the gray file received by the first receiving unit 51;
第三获取单元 54, 用于根据所述第二获取单元 53获取的所述局域网中各终端 设备上报的所述灰文件的属性信息获取所述灰文件的流转路径; 其中, 所述流转路 径是将所述灰文件的来源信息及流转目标信息按照时间先后顺序串联形成的。  The third obtaining unit 54 is configured to acquire, according to the attribute information of the gray file reported by each terminal device in the local area network, the flow path of the gray file, where the flow path is The source information of the gray file and the flow target information are formed in tandem in chronological order.
进一步的, 如图 6所示, 所述服务器还包括- 解析单元 55, 用于在所述第二获取单元 53根据所述灰文件的标识信息分别获 取所述局域网中各终端设备上报的所述灰文件的属性信息之后, 根据所述灰文件的 标识信息对所述灰文件的属性信息进行解析;  Further, as shown in FIG. 6, the server further includes: a parsing unit 55, configured to acquire, according to the identifier information of the gray file, the reported by each terminal device in the local area network, respectively, in the second obtaining unit 53 After the attribute information of the gray file, the attribute information of the gray file is parsed according to the identifier information of the gray file;
第一确定单元 56, 用于在所述解析单元 55根据所述灰文件的标识信息对所述 灰文件的属性信息进行解析之后, 确定所述灰文件的时间信息、 来源信息及流转目 标信息;  The first determining unit 56 is configured to determine, after the parsing unit 55 parses the attribute information of the gray file according to the identifier information of the gray file, time information, source information, and flow target information of the gray file;
串联单元 57, 用于根据所述第一确定单元 56确定的所述时间信息的先后顺序 将所述灰文件的所述来源信息及所述流转目标信息进行串联;  The serial unit 57 is configured to serially connect the source information of the gray file and the flow target information according to a sequence of the time information determined by the first determining unit 56;
形成单元 58, 用于形成所述灰文件的所述流转路径。  The forming unit 58, is configured to form the flow path of the gray file.
进一步的, 如图 6所示, 所述服务器还包括- 第二接收单元 59, 用于在所述第一接收单元 51接收局域网中各终端设备上报 的灰文件的属性信息之前, 接收所述终端设备发送的预置文件;  Further, as shown in FIG. 6, the server further includes a second receiving unit 59, configured to receive the terminal before the first receiving unit 51 receives the attribute information of the gray file reported by each terminal device in the local area network. a preset file sent by the device;
第三接收单元 510, 用于接收云查杀服务器发送的数据库表格, 所述数据库表 格为所述云查杀服务器根据所述预置文件的白名单及黑名单生成;  The third receiving unit 510 is configured to receive a database table sent by the cloud killing server, where the database table is generated by the cloud checking server according to the whitelist and the blacklist of the preset file;
第二确定单元 511, 用于根据所述第三接收单元 510接收的所述数据库表格确 定所述预置文件是否为所述灰文件;  a second determining unit 511, configured to determine, according to the database table received by the third receiving unit 510, whether the preset file is the gray file;
所述第一接收单元 51, 还用于当所述第二确定单元 511根据所述数据库表格确 定所述预置文件为所述灰文件时, 接收局域网中各终端设备上报的灰文件的属性信 息。  The first receiving unit 51 is further configured to: when the second determining unit 511 determines that the preset file is the gray file according to the database table, receive attribute information of a gray file reported by each terminal device in the local area network. .
进一步的, 本发明实施例还提供一种 APT攻击的检测系统, 如图 7所示, 所述 系统包括: 如图 3或图 4任一幅图所示的终端设备 71及如图 5或图 6任一幅图所示 的服务器 72。 Further, the embodiment of the present invention further provides an APT attack detection system. As shown in FIG. 7, the system includes: the terminal device 71 as shown in any one of FIG. 3 or FIG. 4, and FIG. 5 or FIG. 6 is shown in any of the figures Server 72.
本发明实施例提供的终端设备、 服务器及 APT攻击的检测系统, 在检测 APT攻 击时, 终端设备记录局域网中预置文件的属性信息; 其中, 所述预置文件的属性信 息包括标识信息、 时间信息、 来源信息及流转目标信息; 根据所述属性信息确定所 述预置文件是否为灰文件; 其中, 所述灰文件既不存在于所述预置文件的白名单内, 也不存在所述预置文件的黑名单内; 若确定所述预置文件为所述灰文件, 则确定所 述灰文件是否触发预置异常行为规则; 若确定所述灰文件触发预置异常行为规则, 则向服务器发送所述灰文件触发预置异常行为规则的异常警示信息; 其中, 所述异 常警示信息包含终端设备的标识信息; 与现有技术中, 通过人工检测 APT 攻击的方 式相比, 本发明实施例中当灰文件的异常行为触发预置异常行为规则时, 终端向服 务器发送异常警示信息, 服务器会根据局域网内各个终端上报的灰文件的标识信息, 获取灰文件的流转路径, 根据流转路径获取灰文件进行该局域网的时间信息、 来源 信息等, 能够快速、 精确的对 APT攻击进行检测。  The terminal device, the server, and the APT attack detection system provided by the embodiment of the present invention, when detecting an APT attack, the terminal device records the attribute information of the preset file in the local area network; wherein the attribute information of the preset file includes the identification information and the time. Information, source information, and flow target information; determining, according to the attribute information, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file, nor exists If the preset file is determined to be the gray file, determining whether the gray file triggers the preset abnormal behavior rule; if it is determined that the gray file triggers the preset abnormal behavior rule, The server sends the gray file to trigger the abnormal warning information of the preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device; compared with the prior art, the method of the invention detects the APT attack manually, and the implementation of the present invention In the example, when the abnormal behavior of the gray file triggers the preset abnormal behavior rule, the terminal sends the server to the server. Sending abnormal warning information, the server obtains the flow path of the gray file according to the identification information of the gray file reported by each terminal in the local area network, and obtains the gray file according to the flow path to perform time information and source information of the local area network, which can quickly and accurately APT attacks are detected.
在上述实施例中, 对各个实施例的描述都各有侧重, 某个实施例中没有详述的 部分, 可以参见其他实施例的相关描述。  In the above embodiments, the descriptions of the various embodiments are different, and the details that are not detailed in an embodiment can be referred to the related descriptions of other embodiments.
在此处所提供的说明书中, 说明了大量具体细节。 然而, 能够理解, 本发明的 实施例可以在没有这些具体细节的情况下实践。 在一些实例中, 并未详细示出公知 的方法、 结构和技术, 以便不模糊对本说明书的理解。  Numerous specific details are set forth in the description provided herein. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the description.
类似地, 应当理解, 为了精简本公开并帮助理解各个发明方面中的一个或多个, 在上面对本发明的示例性实施例的描述中, 本发明的各个特征有时被一起分组到单 个实施例、 图、 或者对其的描述中。 然而, 并不应将该公开的方法解释成反映如下 意图: 即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特 征。 更确切地说, 如下面的权利要求书所反映的那样, 发明方面在于少于前面公开 的单个实施例的所有特征。 因此, 遵循具体实施方式的权利要求书由此明确地并入 该具体实施方式, 其中每个权利要求本身都作为本发明的单独实施例。  Similarly, the various features of the present invention are sometimes grouped together into a single embodiment, in the above description of the exemplary embodiments of the invention, Figure, or a description of it. However, the method of the disclosure should not be construed as reflecting the intention that the claimed invention requires more features than those explicitly recited in each claim. Rather, as the following claims reflect, inventive aspects reside in less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the specific embodiments, and each of the claims as a separate embodiment of the invention.
本领域那些技术人员可以理解, 可以对实施例中的设备中的模块进行自适应性 地改变并且把它们设置在与该实施例不同的一个或多个设备中。 可以把实施例中的 模块或单元或组件组合成一个模块或单元或组件, 以及此外可以把它们分成多个子 模块或子单元或子组件。 除了这样的特征和 /或过程或者单元中的至少一些是相互排 斥之外, 可以采用任何组合对本说明书 (包括伴随的权利要求、 摘要和附图) 中公 开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。 除非 另外明确陈述, 本说明书 (包括伴随的权利要求、 摘要和附图) 中公开的每个特征 可以由提供相同、 等同或相似目的的替代特征来代替。  Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by an alternative feature that provides the same, equivalent or similar purpose.
此外, 本领域的技术人员能够理解, 尽管在此所述的一些实施例包括其它实施 例中所包括的某些特征而不是其它特征, 但是不同实施例的特征的组合意味着处于 本发明的范围之内并且形成不同的实施例。 例如, 在下面的权利要求书中, 所要求 保护的实施例的任意之一都可以以任意的组合方式来使用。  In addition, those skilled in the art will appreciate that, although some embodiments described herein include certain features that are not included in other embodiments, and other features, combinations of features of different embodiments are intended to be within the scope of the present invention. Different embodiments are formed and formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本发明的各个部件实施例可以以硬件实现, 或者以在一个或者多个处理器上运 行的软件模块实现, 或者以它们的组合实现。 本领域的技术人员应当理解, 可以在 实践中使用微处理器或者数字信号处理器 (DSP ) 来实现根据本发明实施例的地图搜 索结果的显示装置中的一些或者全部部件的一些或者全部功能。 本发明还可以实现 为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序 (例如, 计算 机程序和计算机程序产品) 。 这样的实现本发明的程序可以存储在计算机可读介质 上, 或者可以具有一个或者多个信号的形式。 这样的信号可以从因特网网站上下载 得到, 或者在载体信号上提供, 或者以任何其他形式提供。 Various component embodiments of the present invention may be implemented in hardware or on one or more processors The software module implementation of the line, or a combination of them. Those skilled in the art will appreciate that some or all of the functionality of some or all of the components of the display device for map search results in accordance with embodiments of the present invention may be implemented in practice using a microprocessor or digital signal processor (DSP). The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如, 图 8示出了可以实现根据本发明的 APT攻击的检测方法的计算设备。 该 计算设备传统上包括处理器 810和以存储器 820形式的计算机程序产品或者计算机 可读介质。 存储器 820 可以是诸如闪存、 EEPR0M (电可擦除可编程只读存储器) 、 EPR0M、 硬盘或者 ROM之类的电子存储器。 存储器 820具有用于执行上述方法中的任 何方法步骤的程序代码 831的存储空间 830。例如, 用于程序代码的存储空间 830可 以包括分别用于实现上面的方法中的各种步骤的各个程序代码 831。这些程序代码可 以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产 品中。 这些计算机程序产品包括诸如硬盘, 紧致盘 (CD ) 、 存储卡或者软盘之类的 程序代码载体。 这样的计算机程序产品通常为如参考图 9 所述的便携式或者固定存 储单元。 该存储单元可以具有与图 8的计算设备中的存储器 820类似布置的存储段、 存储空间等。 程序代码可以例如以适当形式进行压缩。 通常, 存储单元包括计算机 可读代码 83 Γ , 即可以由例如诸如 810之类的处理器读取的代码, 这些代码当由计 算设备运行时, 导致该计算设备执行上面所描述的方法中的各个步骤。  For example, Figure 8 illustrates a computing device that can implement a method of detecting an APT attack in accordance with the present invention. The computing device conventionally includes a processor 810 and a computer program product or computer readable medium in the form of a memory 820. Memory 820 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk or ROM. Memory 820 has a memory space 830 for program code 831 for performing any of the method steps described above. For example, storage space 830 for program code can include various program code 831 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such a computer program product is typically a portable or fixed storage unit as described with reference to Figure 9. The storage unit can have storage segments, storage spaces, and the like that are similarly arranged to memory 820 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 83, ie, code readable by a processor, such as 810, that when executed by the computing device causes the computing device to perform each of the methods described above step.
本文中所称的 "一个实施例" 、 "实施例" 或者 "一个或者多个实施例" 意味 着, 结合实施例描述的特定特征、 结构或者特性包括在本发明的至少一个实施例中。 此外, 请注意, 这里 "在一个实施例中" 的词语例子不一定全指同一个实施例。  "an embodiment," or "an embodiment," or "one or more embodiments" as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention. In addition, it should be noted that the phrase "in one embodiment" herein does not necessarily refer to the same embodiment.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制, 并且本 领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。 在权利 要求中, 不应将位于括号之间的任何参考符号构造成对权利要求的限制。 单词 "包 含"不排除存在未列在权利要求中的元件或步骤。 位于元件之前的单词 "一"或 "一 个" 不排除存在多个这样的元件。 本发明可以借助于包括有若干不同元件的硬件以 及借助于适当编程的计算机来实现。 在列举了若干装置的单元权利要求中, 这些装 置中的若干个可以是通过同一个硬件项来具体体现。 单词第一、 第二、 以及第三等 的使用不表示任何顺序。 可将这些单词解释为名称。  It is to be noted that the above-described embodiments are illustrative of the present invention and are not intended to limit the scope of the invention, and those skilled in the art can devise alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" preceding a component does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外, 还应当注意, 本说明书中使用的语言主要是为了可读性和教导的目的而 选择的, 而不是为了解释或者限定本发明的主题而选择的。 因此, 在不偏离所附权 利要求书的范围和精神的情况下, 对于本技术领域的普通技术人员来说许多修改和 变更都是显而易见的。 对于本发明的范围, 对本发明所做的公开是说明性的, 而非 限制性的, 本发明的范围由所附权利要求书限定。  In addition, it should be noted that the language used in the specification has been selected for the purpose of readability and teaching, and is not intended to be construed as limiting or limiting. Therefore, many modifications and changes will be apparent to those skilled in the art without departing from the scope of the invention. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims

权 利 要 求 Rights request
1、 一种 APT攻击的检测方法, 其特征在于, 包括: A method for detecting an APT attack, which is characterized by comprising:
终端设备记录局域网中预置文件的属性信息; 其中, 所述预置文件的属性信息 包括标识信息、 时间信息、 来源信息及流转目标信息;  The terminal device records the attribute information of the preset file in the local area network; wherein the attribute information of the preset file includes the identification information, the time information, the source information, and the flow destination information;
根据所述属性信息确定所述预置文件是否为灰文件; 其中, 所述灰文件既不存 在于所述预置文件的白名单内, 也不存在所述预置文件的黑名单内;  Determining, according to the attribute information, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file nor in the blacklist of the preset file;
若确定所述预置文件为所述灰文件, 则确定所述灰文件是否触发预置异常行为 规则;  If it is determined that the preset file is the gray file, determining whether the gray file triggers a preset abnormal behavior rule;
若确定所述灰文件触发所述预置异常行为规则, 则向服务器发送所述灰文件触 发预置异常行为规则的异常警示信息; 其中, 所述异常警示信息包含终端设备的标 识信息。  If it is determined that the gray file triggers the preset abnormal behavior rule, sending, to the server, the abnormal warning information of the gray file triggering preset abnormal behavior rule; wherein the abnormal warning information includes the identification information of the terminal device.
2、 根据权利要求 1所述的方法, 其特征在于, 终端设备记录局域网中预置文件 的属性信息包括- 基于预置驱动程序记录局域网中预置文件的属性信息;  The method according to claim 1, wherein the recording, by the terminal device, the attribute information of the preset file in the local area network comprises: recording attribute information of the preset file in the local area network based on the preset driver;
或者, 基于预置网关设备记录局域网中预置文件的属性信息。  Or, the attribute information of the preset file in the local area network is recorded based on the preset gateway device.
3、 根据权利要求 2所述的方法, 其特征在于, 在向服务器发送所述灰文件触发 预置异常行为规则的异常警示信息之前, 所述方法还包括:  The method according to claim 2, wherein before the sending the gray file to the server to trigger the abnormal warning information of the preset abnormal behavior rule, the method further includes:
根据所述灰文件的标识信息, 记录所述灰文件的时间信息、 来源信息及流转目 标信息;  Recording, according to the identification information of the gray file, time information, source information, and flow target information of the gray file;
将所述时间信息、 来源信息及所述流转目标信息发送至所述服务器。  The time information, the source information, and the flow target information are transmitted to the server.
4、 根据权利要求 3所述的方法, 其特征在于, 根据所述属性信息确定所述预置 文件是否为灰文件包括:  The method according to claim 3, wherein determining whether the preset file is a gray file according to the attribute information comprises:
将所述属性信息发送至云查杀服务器, 以便所述云查杀服务器根据所述属性信 息判断所述预置文件是否为所述灰文件, 当所述云查杀服务器返回所述灰文件的标 识信息时, 确定所述预置文件为灰文件;  Sending the attribute information to the cloud killing server, so that the cloud checking server determines, according to the attribute information, whether the preset file is the gray file, and when the cloud checking server returns the gray file When the information is identified, the preset file is determined to be a gray file;
根据所述云查杀服务器是否发送所述标识信息, 确定所述预置文件是否为灰文 件。  And determining whether the preset file is a gray file according to whether the cloud killing server sends the identifier information.
5、 根据权利要求 1-4中任一项所述的方法, 其特征在于, 在确定所述灰文件是 否触发预置异常行为规则之前, 所述方法还包括:  The method according to any one of claims 1 to 4, wherein, before determining whether the gray file triggers a preset abnormal behavior rule, the method further includes:
生成预置异常行为规则。  Generate preset exception behavior rules.
6、 根据权利要求 5所述的方法, 其特征在于, 确定所述灰文件是否触发预置异 常行为规则包括:  The method according to claim 5, wherein determining whether the gray file triggers a preset abnormal behavior rule comprises:
获取所述预置异常行为规则;  Obtaining the preset abnormal behavior rule;
确定所述灰文件是否存在异常行为;  Determining whether the gray file has an abnormal behavior;
判断所述异常行为是否触发所述预置异常行为规则。  Determining whether the abnormal behavior triggers the preset abnormal behavior rule.
7、 一种 APT攻击的检测方法, 其特征在于, 包括:  7. A method for detecting an APT attack, which is characterized by comprising:
服务器接收局域网中各终端设备上报的灰文件的属性信息; 其中, 所述灰文件 的属性信息包括标识信息、 时间信息、 来源信息及流转目标信息; The server receives the attribute information of the gray file reported by each terminal device in the local area network; wherein, the gray file The attribute information includes identification information, time information, source information, and flow destination information;
当接收到所述局域网中终端设备发送的异常警示信息时, 根据所述异常警示信 息中包含的终端设备的标识信息, 获取所述终端设备在预置时间段内的灰文件; 所 述异常警示信息根据所述灰文件触发预置异常行为规则产生;  Obtaining the gray file of the terminal device in the preset time period according to the identifier information of the terminal device included in the abnormal warning information when receiving the abnormal warning information sent by the terminal device in the local area network; the abnormal warning The information is generated according to the gray file triggering a preset abnormal behavior rule;
根据所述灰文件的标识信息分别获取所述局域网中各终端设备上报的所述灰文 件的属性信息;  Obtaining attribute information of the gray file reported by each terminal device in the local area network according to the identifier information of the gray file;
根据所述局域网中各终端设备上报的所述灰文件的属性信息获取所述灰文件的 流转路径; 其中, 所述流转路径是将所述灰文件的来源信息及流转目标信息按照时 间先后顺序串联形成的。  Acquiring, according to the attribute information of the gray file reported by each terminal device in the local area network, a flow path of the gray file; wherein, the flow path is to serially source the source information and the flow target information of the gray file in chronological order Forming.
8、 根据权利要求 7所述的方法, 其特征在于, 在根据所述灰文件的标识信息分 别获取所述局域网中各终端设备上报的所述灰文件的属性信息之后, 所述方法还包 括- 根据所述灰文件的标识信息对所述灰文件的属性信息进行解析;  The method according to claim 7, wherein after the attribute information of the gray file reported by each terminal device in the local area network is obtained according to the identification information of the gray file, the method further includes: Parsing the attribute information of the gray file according to the identifier information of the gray file;
确定所述灰文件的时间信息、 来源信息及流转目标信息;  Determining time information, source information, and flow destination information of the gray file;
根据所述时间信息的先后顺序将所述灰文件的所述来源信息及所述流转目标信 息进行串联;  And serializing the source information of the gray file and the flow target information according to a sequence of the time information;
形成所述灰文件的所述流转路径。  Forming the flow path of the gray file.
9、 根据权利要求 7或 8所述的方法, 其特征在于, 在服务器接收局域网中各终 端设备上报的灰文件的属性信息之前, 所述方法还包括- 接收所述终端设备发送的预置文件;  The method according to claim 7 or 8, wherein before the server receives the attribute information of the gray file reported by each terminal device in the local area network, the method further includes: receiving the preset file sent by the terminal device ;
接收云查杀服务器发送的数据库表格, 所述数据库表格为所述云查杀服务器根 据所述预置文件的白名单及黑名单生成;  Receiving a database table sent by the cloud killing server, where the database table is generated by the cloud killing server according to a white list and a blacklist of the preset file;
根据所述数据库表格确定所述预置文件是否为所述灰文件;  Determining, according to the database table, whether the preset file is the gray file;
所述服务器接收局域网中各终端设备上报的灰文件的属性信息包括:  The attribute information of the gray file reported by each terminal device in the local area network includes:
若根据所述数据库表格确定所述预置文件为所述灰文件, 则接收局域网中各终 端设备上报的灰文件的属性信息。  And if the preset file is determined to be the gray file according to the database table, the attribute information of the gray file reported by each terminal device in the local area network is received.
10、 一种终端设备, 其特征在于, 包括:  10. A terminal device, comprising:
第一记录单元, 用于记录局域网中预置文件的属性信息; 其中, 所述预置文件 的属性信息包括标识信息、 时间信息、 来源信息及流转目标信息;  a first recording unit, configured to record attribute information of a preset file in the local area network, where the attribute information of the preset file includes identification information, time information, source information, and flow target information;
第一确定单元, 用于根据所述第一记录单元记录的所述属性信息确定所述预置 文件是否为灰文件; 其中, 所述灰文件既不存在于所述预置文件的白名单内, 也不 存在所述预置文件的黑名单内;  a first determining unit, configured to determine, according to the attribute information recorded by the first recording unit, whether the preset file is a gray file; wherein the gray file is neither in the white list of the preset file , there is also no blacklist of the preset file;
第二确定单元, 用于当所述第一确定单元确定所述预置文件为所述灰文件时, 确定所述灰文件是否触发预置异常行为规则;  a second determining unit, configured to: when the first determining unit determines that the preset file is the gray file, determine whether the gray file triggers a preset abnormal behavior rule;
第一发送单元, 用于当所述第二确定单元确定所述灰文件触发所述预置异常行 为规则时, 向服务器发送所述灰文件触发预置异常行为规则的异常警示信息; 其中, 所述异常警示信息包含终端设备的标识信息。  a first sending unit, configured to: when the second determining unit determines that the gray file triggers the preset abnormal behavior rule, send, to the server, abnormal warning information that triggers the preset abnormal behavior rule by the gray file; The abnormal warning information includes identification information of the terminal device.
11、 根据权利要求 10所述的终端设备, 其特征在于, 所述第一记录单元包括: 第一记录模块, 用于基于预置驱动程序记录局域网中预置文件的属性信息; 第二记录模块, 用于基于预置网关设备记录局域网中预置文件的属性信息。The terminal device according to claim 10, wherein the first recording unit comprises: The first recording module is configured to record attribute information of the preset file in the local area network based on the preset driver; and the second recording module is configured to record attribute information of the preset file in the local area network based on the preset gateway device.
12、 根据权利要求 1 1所述的终端设备, 其特征在于, 所述终端设备还包括: 第二记录单元, 用于在所述第一发送单元向服务器发送所述灰文件触发预置异 常行为规则的异常警示信息之前, 根据所述灰文件的标识信息, 记录所述灰文件的 时间信息、 来源信息及流转目标信息; The terminal device according to claim 11, wherein the terminal device further includes: a second recording unit, configured to send, by the first sending unit, the gray file trigger preset abnormal behavior to a server Before the abnormal warning information of the rule, the time information, the source information, and the flow destination information of the gray file are recorded according to the identification information of the gray file;
第二发送单元, 用于将所述第二记录单元记录的所述时间信息、 来源信息及所 述流转目标信息发送至所述服务器。  And a second sending unit, configured to send the time information, the source information, and the flow target information recorded by the second recording unit to the server.
13、 根据权利要求 12所述的终端设备, 其特征在于, 所述第一确定单元包括: 发送模块, 用于将所述属性信息发送至云查杀服务器, 以便所述云查杀服务器 根据所述属性信息判断所述预置文件是否为所述灰文件, 当所述云查杀服务器返回 所述灰文件的标识信息时, 确定所述预置文件为灰文件;  The terminal device according to claim 12, wherein the first determining unit comprises: a sending module, configured to send the attribute information to a cloud killing server, so that the cloud killing server is configured according to Determining, by the attribute information, whether the preset file is the gray file, and when the cloud search server returns the identification information of the gray file, determining that the preset file is a gray file;
确定模块,用于在所述发送模块将所述属性信息发送至所述云查杀服务器之后, 根据所述云查杀服务器是否发送所述标识信息, 确定所述预置文件是否为灰文件。  And a determining module, configured to determine whether the preset file is a gray file, according to whether the cloud search server sends the identifier information, after the sending module sends the attribute information to the cloud killing server.
14、 根据权利要求 10-13中任一项所述的终端设备, 其特征在于, 所述终端设 备还包括:  The terminal device according to any one of claims 10 to 13, wherein the terminal device further comprises:
生成单元, 用于在所述第二确定单元确定所述灰文件是否触发预置异常行为规 则之前, 生成预置异常行为规则。  And a generating unit, configured to generate a preset abnormal behavior rule before the second determining unit determines whether the gray file triggers a preset abnormal behavior rule.
15、 根据权利要求 14所述的终端设备, 其特征在于, 所述第二确定单元包括: 获取模块, 用于获取所述预置异常行为规则;  The terminal device according to claim 14, wherein the second determining unit comprises: an acquiring module, configured to acquire the preset abnormal behavior rule;
确定模块, 用于确定所述灰文件是否存在异常行为;  a determining module, configured to determine whether the gray file has an abnormal behavior;
判断模块, 用于判断所述确定模块确定的所述异常行为是否触发所述获取模块 获取的所述预置异常行为规则。  The determining module is configured to determine whether the abnormal behavior determined by the determining module triggers the preset abnormal behavior rule acquired by the acquiring module.
16、 一种服务器, 其特征在于, 包括- 第一接收单元, 用于接收局域网中各终端设备上报的灰文件的属性信息; 其中, 所述灰文件的属性信息包括标识信息、 时间信息、 来源信息及流转目标信息;  A server, comprising: a first receiving unit, configured to receive attribute information of a gray file reported by each terminal device in a local area network; wherein the attribute information of the gray file includes identification information, time information, and source Information and transfer target information;
第一获取单元, 用于当接收到所述局域网中终端设备发送的异常警示信息时, 根据所述异常警示信息中包含的终端设备的标识信息, 获取所述终端设备在预置时 间段内的灰文件; 所述异常警示信息根据所述灰文件触发预置异常行为规则产生; 第二获取单元, 用于根据所述第一接收单元接收的所述灰文件的标识信息分别 获取所述局域网中各终端设备上报的所述灰文件的属性信息;  a first acquiring unit, configured to: when receiving the abnormal warning information sent by the terminal device in the local area network, obtain, according to the identifier information of the terminal device included in the abnormal warning information, the terminal device in a preset time period a gray file; the abnormal warning information is generated according to the gray file triggering preset abnormal behavior rule; the second obtaining unit is configured to acquire, according to the gray file identifier information received by the first receiving unit, the local area network Attribute information of the gray file reported by each terminal device;
第三获取单元, 用于根据所述第二获取单元获取的所述局域网中各终端设备上 报的所述灰文件的属性信息获取所述灰文件的流转路径; 其中, 所述流转路径是将 所述灰文件的来源信息及流转目标信息按照时间先后顺序串联形成的。  a third obtaining unit, configured to acquire a flow path of the gray file according to the attribute information of the gray file reported by each terminal device in the local area network acquired by the second acquiring unit, where the flow path is a The source information of the gray file and the flow target information are formed in tandem in chronological order.
17、 根据权利要求 16所述的服务器, 其特征在于, 所述服务器还包括: 解析单元, 用于在所述第二获取单元根据所述灰文件的标识信息分别获取所述 局域网中各终端设备上报的所述灰文件的属性信息之后, 根据所述灰文件的标识信 息对所述灰文件的属性信息进行解析; 第一确定单元, 用于在所述解析单元根据所述灰文件的标识信息对所述灰文件 的属性信息进行解析之后, 确定所述灰文件的时间信息、 来源信息及流转目标信息; 串联单元, 用于根据所述第一确定单元确定的所述时间信息的先后顺序将所述 灰文件的所述来源信息及所述流转目标信息进行串联; The server according to claim 16, wherein the server further includes: a parsing unit, configured to acquire, in the second acquiring unit, each terminal device in the local area network according to the identification information of the gray file After the attribute information of the gray file is reported, the attribute information of the gray file is parsed according to the identification information of the gray file; a first determining unit, configured to determine, after the parsing unit parses the attribute information of the gray file according to the identifier information of the gray file, time information, source information, and flow target information of the gray file; And combining the source information of the gray file and the flow target information according to a sequence of the time information determined by the first determining unit;
形成单元, 用于形成所述灰文件的所述流转路径。  Forming a unit for forming the flow path of the gray file.
18、 根据权利要求 16或 17所述的服务器, 其特征在于, 所述服务器还包括: 第二接收单元, 用于在所述第一接收单元接收局域网中各终端设备上报的灰文 件的属性信息之前, 接收所述终端设备发送的预置文件;  The server according to claim 16 or 17, wherein the server further comprises: a second receiving unit, configured to receive attribute information of the gray file reported by each terminal device in the local area network in the first receiving unit Before receiving the preset file sent by the terminal device;
第三接收单元, 用于接收云查杀服务器发送的数据库表格, 所述数据库表格为 所述云查杀服务器根据所述预置文件的白名单及黑名单生成;  a third receiving unit, configured to receive a database table sent by the cloud killing server, where the database table is generated by the cloud killing server according to the whitelist and the blacklist of the preset file;
第二确定单元, 用于根据所述第三接收单元接收的所述数据库表格确定所述预 置文件是否为所述灰文件;  a second determining unit, configured to determine, according to the database table received by the third receiving unit, whether the preset file is the gray file;
所述第一接收单元, 还用于当所述第二确定单元根据所述数据库表格确定所述 预置文件为所述灰文件时, 接收局域网中各终端设备上报的灰文件的属性信息。  The first receiving unit is further configured to: when the second determining unit determines that the preset file is the gray file according to the database table, receive attribute information of a gray file reported by each terminal device in the local area network.
19、一种 APT攻击的检测系统, 其特征在于, 所述系统包括: 如权利要求 10-15 中任一项所述的终端设备及如权利要求 16-18中任一项所述的服务器。  A detection system for an APT attack, characterized in that the system comprises: the terminal device according to any one of claims 10-15 and the server according to any one of claims 16-18.
20、 一种计算机程序, 包括计算机可读代码, 当所述计算机可读代码在计算设 备上运行时, 导致所述计算设备执行根据权利要求 1-9 中的任一项所述的 APT攻击 的检测方法。  20. A computer program comprising computer readable code, when said computer readable code is run on a computing device, causing said computing device to perform an APT attack according to any of claims 1-9 Detection method.
21、 一种计算机可读介质, 其中存储了如权利要求 20所述的计算机程序。  A computer readable medium, wherein the computer program according to claim 20 is stored.
PCT/CN2016/110469 2015-12-18 2016-12-16 Detection method for apt attack, terminal device, server and system WO2017101874A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510959102.0A CN105430001A (en) 2015-12-18 2015-12-18 Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack
CN201510959102.0 2015-12-18

Publications (1)

Publication Number Publication Date
WO2017101874A1 true WO2017101874A1 (en) 2017-06-22

Family

ID=55507942

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/110469 WO2017101874A1 (en) 2015-12-18 2016-12-16 Detection method for apt attack, terminal device, server and system

Country Status (2)

Country Link
CN (1) CN105430001A (en)
WO (1) WO2017101874A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105430001A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack
CN106375303A (en) * 2016-08-30 2017-02-01 江苏博智软件科技有限公司 Attack defense method and apparatus
CN106856478A (en) * 2016-12-29 2017-06-16 北京奇虎科技有限公司 A kind of safety detection method and device based on LAN
CN107786531B (en) * 2017-03-14 2020-02-18 平安科技(深圳)有限公司 APT attack detection method and device
CN107172050A (en) * 2017-05-19 2017-09-15 北京安数云信息技术有限公司 The detection method and detecting system of APT attacks
CN110149319B (en) * 2019-04-26 2021-11-23 奇安信科技集团股份有限公司 APT organization tracking method and device, storage medium and electronic device
CN112364348B (en) * 2020-11-30 2021-10-12 杭州美创科技有限公司 Database security exception identification method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103902894A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Virus defense method and system based on user behavior differentiation
CN104461826A (en) * 2014-12-05 2015-03-25 北京奇虎科技有限公司 Object flow monitoring method, device and system
CN105138901A (en) * 2015-08-03 2015-12-09 浪潮电子信息产业股份有限公司 White list-based cloud host active defense implementation method
CN105430001A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103761114B (en) * 2013-10-18 2017-10-17 北京奇虎科技有限公司 A kind of browser side loading extension and/or the method and device of plug-in unit
CN103905418B (en) * 2013-11-12 2017-02-15 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN103716313B (en) * 2013-12-24 2016-07-13 中国科学院信息工程研究所 A kind of user privacy information guard method and system
CN104618427B (en) * 2014-12-17 2016-08-24 百度在线网络技术(北京)有限公司 A kind of method and apparatus for carrying out file monitor by network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103902894A (en) * 2012-12-24 2014-07-02 珠海市君天电子科技有限公司 Virus defense method and system based on user behavior differentiation
CN104461826A (en) * 2014-12-05 2015-03-25 北京奇虎科技有限公司 Object flow monitoring method, device and system
CN105138901A (en) * 2015-08-03 2015-12-09 浪潮电子信息产业股份有限公司 White list-based cloud host active defense implementation method
CN105430001A (en) * 2015-12-18 2016-03-23 北京奇虎科技有限公司 Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack

Also Published As

Publication number Publication date
CN105430001A (en) 2016-03-23

Similar Documents

Publication Publication Date Title
WO2017101874A1 (en) Detection method for apt attack, terminal device, server and system
US11785040B2 (en) Systems and methods for cyber security alert triage
CN110719291B (en) Network threat identification method and identification system based on threat information
CN109829310B (en) Similar attack defense method, device, system, storage medium and electronic device
US9462009B1 (en) Detecting risky domains
US10587647B1 (en) Technique for malware detection capability comparison of network security devices
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
US9800594B2 (en) Method and system for detecting unauthorized access attack
CN100448203C (en) System and method for identifying and preventing malicious intrusions
Virvilis et al. Mobile devices: A phisher's paradise
WO2015096528A1 (en) Method and device for detecting security of online shopping environment
WO2017160772A1 (en) Using private threat intelligence in public cloud
CN111581643B (en) Penetration attack evaluation method and device, electronic device and readable storage medium
CN110149319B (en) APT organization tracking method and device, storage medium and electronic device
WO2015167523A1 (en) Packet logging
CN112003838A (en) Network threat detection method, device, electronic device and storage medium
US20170155683A1 (en) Remedial action for release of threat data
CN110782374A (en) Electronic evidence obtaining method and system based on block chain
WO2015062328A1 (en) Cloud checking and killing method, device and system for combating anti-antivirus test
EP3579523A1 (en) System and method for detection of malicious interactions in a computer network
CN109600362A (en) Zombie host recognition methods, identification equipment and medium based on identification model
WO2015090117A1 (en) Website protection method and device
CN112532636A (en) Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow
Easttom Digital forensics, investigation, and response
EP3195140B1 (en) Malicious message detection and processing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16874931

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16874931

Country of ref document: EP

Kind code of ref document: A1