CN103312679B - The detection method of senior constant threat and system - Google Patents
The detection method of senior constant threat and system Download PDFInfo
- Publication number
- CN103312679B CN103312679B CN201210068888.3A CN201210068888A CN103312679B CN 103312679 B CN103312679 B CN 103312679B CN 201210068888 A CN201210068888 A CN 201210068888A CN 103312679 B CN103312679 B CN 103312679B
- Authority
- CN
- China
- Prior art keywords
- attack
- event
- scenarios
- sequence
- attack step
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 55
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000012360 testing method Methods 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 16
- 206010001488 Aggression Diseases 0.000 claims description 20
- 230000016571 aggressive behavior Effects 0.000 claims description 20
- 208000012761 aggressive behavior Diseases 0.000 claims description 20
- 238000004458 analytical method Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 6
- 230000008878 coupling Effects 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 4
- 238000005859 coupling reaction Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012098 association analyses Methods 0.000 description 3
- 238000002513 implantation Methods 0.000 description 3
- 239000000047 product Substances 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 238000011897 real-time detection Methods 0.000 description 2
- 206010008190 Cerebrovascular accident Diseases 0.000 description 1
- 208000006011 Stroke Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000012407 engineering method Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000010408 sweeping Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides detection method and the system of a kind of senior constant threat.Described method, including: obtain the attack step included by each Attack Scenarios of senior constant threat and for judging the correlation rule that before and after each attack step, whether attack step exists, wherein the corresponding multiple different events being capable of this attack step of each attack step;Obtain the testing result of network intrusions, the alert event occurred in record network;If alert event is the event in a certain Attack Scenarios corresponding to attack step, then trigger the testing process of senior constant threat, the attack sequence obtained is processed, the result obtained is exported as senior constant threat information.
Description
Technical field
The present invention relates to information security field, particularly relate to detection method and the system of a kind of senior constant threat.
Background technology
Along with the sense of organization of assault behavior, going after profit or gain property are increasingly stronger, APT (AdvancedPersistentThreat, senior constant threat) has had become as government and the most serious threat of each big business information system.Macro network security monitoring possesses that monitoring range is wide, relate to the feature that key unit is many, is the detection APT ecotopia attacked.
Technically, APT is not a kind of new attack maneuver, but the general name of a class particular attack, namely assailant is in order to obtain the important information of certain tissue or even country, carries out the whole process of a series of aggressive behavior targetedly.APT attacks and make use of various attacks means, including various up-to-date attack methods and social engineering method, the authority obtaining entrance organization internal step by step.In order to avoid being found by intrusion detection device, assailant often writes special attacker for being hacked object, and some general attack codes of non-usage.
The method that can pass through first to build the concrete steps in Attack Scenarios, then coupling scene based on traditional Intrusion Detection Technique realizes the detection to APT.But the method has the disadvantage that
1) due to the multiformity of APT, it is difficult to cover all of Attack Scenarios, thus being difficult to complete detection.Assailant is in order to reach specific target, it is possible to by diversified approach, is difficult to exhaustive all possible scene as defender, once omitting occurs in scenario building will cause failing to report in detection.
2) APT often adopts cipher mode transmission sensitive information, and monitor bypass is difficult to detect.Assailant, once invade successfully, often passes through the sensitive information unofficial biography that encrypted tunnel will be stolen, and will be unable to coupling as bypass detection equipment for the data after encryption.
3) APT attacks and often permeates based on zeroday leak, and the intrusion detection device of traditional feature based coupling characteristically exists hysteresis quality.Once miss the real-time detection to aggressive behavior, even if later detection feature having been carried out renewal, having possessed power of test, the APT process attacked also cannot be recalled.
4) APT attacks is persistent period very long attack process, it is attacked purpose and is generally not intended to certain interests once and obtains but want to keep long-term income, this each attack step allowed in APT attack process is not easily discovered, and uses tradition intrusion detection to be likely to only to find the abundant attention that the security incident that some threat degree are very low cannot cause manager.
Based on above-mentioned deficiency, it can be deduced that, the difficult point of APT detection is in that the behavior of assailant launches in a time window, and traditional intrusion detection device is based on the real-time detection of time point, lacks the support of detection context environmental.It is therefore desirable to propose a kind of being capable of to attack, for APT, the scheme carrying out effectively detection.
Summary of the invention
The present invention provides detection method and the system of a kind of senior constant threat, will solve the technical problem that it is how to detect that APT attacks in conjunction with historical events.
For solving above-mentioned technical problem, the technical scheme is that
A kind of detection method of senior constant threat, including:
Obtain the attack step included by each Attack Scenarios of senior constant threat and for judging the correlation rule that before and after each attack step, whether attack step exists, wherein the corresponding multiple different events being capable of this attack step of each attack step;
Obtain the testing result of network intrusions, the alert event occurred in record network;
If alert event is the event in a certain Attack Scenarios corresponding to attack step, then trigger the testing process of senior constant threat, including:
If alert event is the event corresponding to attack step initial in Attack Scenarios, then the event in described current network is preserved directly as a new attack sequence corresponding to this Attack Scenarios;
If alert event is not the event corresponding to attack step initial in Attack Scenarios, the then correlation rule according to record, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if it is present alert event is directly appended in this attack sequence;
The attack sequence obtained is processed, the result obtained is exported as senior constant threat information.
Preferably, described method also has a characteristic that the testing process of the senior constant threat of described triggering also includes:
If alert event is not initial event corresponding to attack step in this Attack Scenarios, and also it is absent from incidence relation between the event recorded in the attack sequence corresponding to this Attack Scenarios, is then that two attack steps that there is incidence relation in the attack step recorded with same attack step set up incidence relation;
According to newly obtained correlation rule, it is judged that whether there is incidence relation between described alert event and the event recorded in the attack sequence corresponding to this Attack Scenarios, if it is present alert event is directly appended in this attack sequence.
Preferably, described method also has a characteristic that the testing process triggering senior constant threat also includes:
If a particular attack step does not have correlation rule with previous attack step or a rear attack step in a certain Attack Scenarios, if be detected that alert event have in this Attack Scenarios the event corresponding to previous attack step and a rear attack step, then obtain the time interval that the alert event corresponding to previous attack step and a rear attack step occurs;
The event belonging to this particular attack step in this time interval is inquired about from the event of historical record;
If found, the attack sequence of this Attack Scenarios is updated.
A kind of detection system of senior constant threat, including:
Acquisition device, for obtaining attack step included by each Attack Scenarios of senior constant threat and for judging the correlation rule that before and after each attack step, whether attack step exists, the wherein corresponding multiple different events being capable of this attack step of each attack step;
Recording equipment, is connected with described acquisition device, for obtaining the testing result of network intrusions, and the alert event occurred in record network;
Detecting device, is connected with described recording equipment, for when alert event is event corresponding to attack step in a certain Attack Scenarios, triggering the testing process of senior constant threat, including:
If alert event is the event corresponding to attack step initial in Attack Scenarios, then the event in described current network is preserved directly as a new attack sequence corresponding to this Attack Scenarios;
If alert event is not the event corresponding to attack step initial in Attack Scenarios, the then correlation rule according to record, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if it is present alert event is directly appended in this attack sequence;
Output device, is connected with described detecting device, for the attack sequence obtained is processed, the result obtained is exported as senior constant threat information.
Preferably, described system also has a characteristic that described system also includes:
Trigger device, it is connected with described detecting device and described recording equipment, for not being event corresponding to initial attack step in this Attack Scenarios at alert event, and when being also absent from incidence relation between the event recorded in the attack sequence corresponding to this Attack Scenarios, two attack steps for there is incidence relation in the attack step that recorded with same attack step set up incidence relation, further according to newly obtained correlation rule, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if existed, then alert event is directly appended in this attack sequence.
Preferably, described system also has a characteristic that described detecting device also includes:
Acquisition module, when there is no correlation rule for particular attack step a certain in a certain Attack Scenarios with previous attack step or a rear attack step, if be detected that alert event have in this Attack Scenarios the event corresponding to previous attack step and a rear attack step, then obtain the time interval that the alert event corresponding to previous attack step and a rear attack step occurs;
Enquiry module, is connected with described acquisition module, for inquiring about the event belonging to this particular attack step in this time interval from the event of historical record;
More new module, is connected with described enquiry module, for, after described enquiry module finds the event of this particular attack step, the attack sequence of this Attack Scenarios being updated.
The generation of the present invention provides the benefit that: solve general fire wall or historical data cannot be analyzed by intrusion detection product again, thus the problem of aggressive behavior that assailant carries out based on 0-day leak cannot be found, solve the problem that general intruding detection system carry out overall aggressive behavior sequence menace assessment for the association analysis that each step of APT aggressive behavior cannot pass through to recall simultaneously.Have employed the detection mode based on storage, by the rule association technology that can recall, it has been found that have the aggressive behavior sequence of dependency, thus the menace of APT aggressive behavior is carried out globality assessment.The system that improves to a certain extent is for the APT power of test attacked, it can be found that meet the APT aggressive behavior of Attack Scenarios set in advance and show contingent APT aggressive behavior or potential safety hazard for user or management personnel, contribute to management system or management personnel to the assurance comprehensively of the sensitive data of current system and to protect, there is good performance and accuracy, can be widely applied in network security detection product.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of the detection method embodiment of senior constant threat provided by the invention;
Fig. 2 is the structural representation of the detection system embodiment of senior constant threat provided by the invention;
Fig. 3 is the structural representation of the detection system application example of senior constant threat provided by the invention.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearly, the present invention is described in further detail below in conjunction with the accompanying drawings and the specific embodiments.It should be noted that when not conflicting, the embodiment in the application and the feature in embodiment can combination in any mutually.
In order to make it easy to understand, first following concept is made an explanation:
Attack Scenarios is made up of at least two attack step, for instance Attack Scenarios can be " vulnerability scanning+buffer overflow attack+back door is implanted ", and wherein vulnerability scanning, buffer overflow attack and back door are implanted is attack step, and order is as implied above.
Wherein, the setting for Attack Scenarios is similar to the setting to ids event, needs when carrying out Attack Scenarios setting to meet following requirement:
1, each attack step in the middle of Attack Scenarios should be accurate, not should be event classification and brings uncertainty.
2, for the attribute according to current ids event language definition of each step in Attack Scenarios, should providing the rule being associated using between each step, namely this rule is used for searching whether a certain attack step front and back attack step in this Attack Scenarios exists.Such as: continue to use examples detailed above Attack Scenarios and be set as that vulnerability scanning+buffer overflow attack+back door is implanted.For this step of buffer overflow attack.Set its bidirectional association rule purpose IP as the purpose IP=later step of previous step.This illustrates in time buffer overflow attack class event being detected, finds whether the attack step that can associate before and after in Attack Scenarios exists by relying on this rule.
3, the setting for the correlation rule of each step in Attack Scenarios should have distinguishing hierarchy.Such as: when setting Attack Scenarios as A+B+C+D+E, when finding attack step C, except setting the rule being associated with step B and D by C, the rule being associated with other steps such as A and E also should be set in the conceived case.Continue to use above example.During Attack Scenarios is set as that vulnerability scanning+buffer overflow attack+back door is implanted, if be detected that this attack step is implanted at back door, it is possible to set the purpose IP as the purpose IP=later step of previous step of the correlation rule between buffer overflow attack step and back door implantation step.The correlation rule of this external back door implantation step carries out the rule settings of time one-level to be the correlation rule between vulnerability scanning step and back door implantation step is the purpose IP of the purpose IP=later step of previous step.
It addition, same attack step can have different technologies means to realize, and the whole events being capable of this attack step can as a class event.Such as, when attack step is vulnerability scanning, the event class of its correspondence is vulnerability scanning event class, and is that by the event of vulnerability scanning function in prior art all at this vulnerability scanning event apoplexy due to endogenous wind.
If a certain alert event occurred in network is the event in a certain Attack Scenarios corresponding to attack step, event in this network is recorded as an attack sequence, as a leak surface sweeping event detected, then this event is recorded as an attack sequence.
Below the method for the senior constant threat of detection provided by the invention being illustrated, the method includes:
Fig. 1 is the schematic flow sheet of the detection method embodiment of senior constant threat provided by the invention.Embodiment of the method shown in Fig. 1, including:
Step 11, obtain the attack step included by each Attack Scenarios of senior constant threat and for judging the correlation rule that before and after each attack step, whether attack step exists, wherein the corresponding multiple different events being capable of this attack step of each attack step;
Step 12, obtain network intrusions testing result, record network in occur alert event;
If step 13 alert event is the event in a certain Attack Scenarios corresponding to attack step, then trigger the testing process of senior constant threat, including:
If alert event is the event corresponding to attack step initial in Attack Scenarios, then the event in described current network is preserved directly as a new attack sequence corresponding to this Attack Scenarios;
If alert event is not the event corresponding to attack step initial in Attack Scenarios, the then correlation rule according to record, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if it is present alert event is directly appended in this attack sequence;
Step 14, the attack sequence obtained is processed, the result obtained is exported as senior constant threat information.
It is made up of series of steps owing to APT attacks, its possible sudden and violent leak source is often positioned in the rear end of attack path, therefore, technical scheme provided by the invention is by the detection to real-time traffic, after questionable conduct (such as unknown external connection, abnormal coded communication etc.) occur, it is possible to the historical traffic before tracing back to carries out depth analysis and association, it has been found that APT that may be present attacks and potential safety hazard, avoid core data destroyed or run off, improving the protective capacities of network system.
Below method provided by the invention is described further:
Embodiment one
Step 101, obtain the attack step of each Attack Scenarios set by user and for judging the correlation rule that before and after each attack step, whether attack step exists, the wherein corresponding multiple different events for realizing this attack step of each attack step.
Step 102, perform intrusion detection in real time, obtain the alert event occurred in network.
If step 103 alert event is the event in a certain Attack Scenarios corresponding to attack step, then triggers APT and attack state-detection flow process, specifically include:
If alert event is the event corresponding to attack step initial in Attack Scenarios, then the event in described current network is preserved directly as a new attack sequence corresponding to this Attack Scenarios;
If alert event is not the event corresponding to initial attack step, then judge whether there is incidence relation between alert event described in the attack sequence preserved and the event recorded in attack sequence, if it is present alert event is directly appended in this attack sequence.
For example, if be detected that a cache overflow event, record leaky scan event if had in an attack sequence, then directly this cache overflow event is increased in this attack sequence.
Step 104, updated APT attack sequence is carried out overall threat assessment and exports assessment result to user or manager.
Embodiment two
With embodiment one the difference is that, the original state of alert event certain ATP attack mode sequence non-, simultaneously also cannot exact correlation to the NextState of a certain ATP attack sequence in the APT attack sequence storehouse stored, then perform following operation:
ATP detecting and alarm loads the most comprehensive up-to-date attack signature and historical data is carried out depth data detection by analysis strategy.Specifically:
Step 201, when all there is incidence relation with same attack step in any two attack step, by this any two attack step merger for there is incidence relation;
Hereinafter representing that attack step, lower case represent the event corresponding to this attack step with capitalization, such as attack step A, the event corresponding to this attack step is a.
For the merger between attack step, for example:
When attack step A associates attack step B, attack step B association attack step C, merger is that attack step A associates attack step B association attack step C;
When attack step A associates attack step B association attack step C, attack step B association attack step C association attack step D, merger is that attack step A association attack step B associates attack step C association attack step D.
According to above-mentioned merger principle, the association results according to attack step, the event sets corresponding to each attack step is associated between two;Then repeatedly association results is carried out merger, obtain final association results.
Accordingly, association is established between two due to attack step, then the event corresponding to corresponding each attack step combines and is also just present in incidence relation accordingly.
The purpose of do so is, event effectively can be associated, because, in some scenarios, assailant can't launch a offensive according to the order of attack step in Attack Scenarios, therefore, if be not connected with at least two attack step of front and back by an attack step, being difficult to find that same assailant has been the aggressive behavior done by this attack, it is very unfavorable that detection APT is attacked.
Step 202, adopt newly obtained incidence relation, again according to newly obtained correlation rule, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if it is present be directly appended in this attack sequence by alert event.
All APT attack sequences of storage in the up-to-date detection event sets of historical data and current ATP attack sequence storehouse are associated according to predetermined correlation rule.
Such as: when certain attack mode is defined as " A+B+C+D+E ", current APT attack sequence storehouse stores current detection sequence for " a+b+c+d ", the event now detected is e, and e is one in event class E, then the result associated is (A+B+C+D+E: " a+b+c+d+e ").
If current APT attack sequence storehouse storing current detection sequence for " a+b+c ", the event now detected is e, according to the with different levels association set in our Attack Scenarios setting procedure, although the event in step D is not detected at, but if predefined correlation rule existed the correlation rule of step C and E, then association results would be (A+B+C+D+E: " a+b+c+*+e ").Now extract the data between event c and event e by calling streaming storage device and load up-to-date temporal characteristics storehouse and carry out deep detection.If the event d detected in step D, association results being updated to (A+B+C+D+E: " a+b+c+d+e "), otherwise (A+B+C+D+E: " a+b+c+*+e ") is as current association results.Then adopt above-mentioned association results merger principle that association results is carried out further merger again.
And for example: when the result of rule association is corresponding to some step in some attack mode, but when cannot constitute complete attack mode, rule association module produces all possible attack sequence.Such as: predefined two kinds of attack modes are " A+B+C+D+E " and " A+B+X+D+E ", the result of rule match is " a+b " and " d+e ".The event detected that wherein a, b, d, e are consistent with in attack mode A, B, D, E step respectively.But attack b and d therein cannot be associated by rule association described above, say, that be absent from the attribute that can associate between attack b and d.Now we will be produced corresponding attack sequence according to the attack mode being likely to meet.In above-mentioned situation, the possible attack sequence of generation is (A+B+C+D+E: " a+b+*+d+e ";A+B+X+D+E: " a+b+*+d+e ").The time range that output * event occurs simultaneously.When loading renewal feature database, again analyze the historical data in this time range to determine correct rule association result.Now if two kinds of attack modes of coupling have subsequent step, it is possible to judge current real attack sequence according to subsequent detection result.
Embodiment three
If it is relevant to already present attack sequence to process this attack sequence in the method adopting embodiment two, then in ATP attack sequence storehouse, increase new attack genbank entry;
If the new attack sequence produced is unique (namely in output result, attack mode is unique), such as (A+B+C+D+E: " a+b+*+d+e ").And the ATP attack sequence storehouse now stored exists relevant attack sequence for (A+B+C+D+E: " a+b "), then the attack sequence of storage is replaced with new attack sequence.
If there is relevant attack sequence such as (A+B+C+D+E: " a+b+*+*+e " in the ATP attack sequence storehouse now stored;A+B+X+D+E: " a+b+*+*+e ");The attack sequence then updating storage for (A+B+C+D+E: " a+b+*+d+e ") and deletes unmatched attack mode (A+B+X+D+E: " a+b+*+*+e ").
If produce attack sequence be (A+B+C+D+E: " *+*+c+d+e "), currently stored ATP attack sequence storehouse exists relevant attack sequence such as (A+B+C+D+E: " a+b+c+*+* ").Now attack mode is identical, and when the c in attack sequence is same event, is merged by attack sequence and be stored as (A+B+C+D+E: " a+b+c+d+e ").
During for unique Attack Scenarios cannot be determined, retain possible attack mode and attack sequence as much as possible;The testing result relying on follow-up renewal increases the definitiveness of attack sequence, and removes the attack sequence of the uncertainty that it fails to match.
Fig. 2 is the structural representation of the detection system of senior constant threat provided by the invention.In conjunction with method as discussed above, system shown in Figure 2 embodiment includes:
Acquisition device 21, for obtaining attack step included by each Attack Scenarios of senior constant threat and for judging the correlation rule that before and after each attack step, whether attack step exists, the wherein corresponding multiple different events being capable of this attack step of each attack step;
Recording equipment 22, is connected with described acquisition device 21, for obtaining the testing result of network intrusions, and the alert event occurred in record network;
Detecting device 23, is connected with described recording equipment 22, if being event corresponding to attack step in a certain Attack Scenarios for alert event, then triggers the testing process of senior constant threat, including:
If alert event is the event corresponding to attack step initial in Attack Scenarios, then the event in described current network is preserved directly as a new attack sequence corresponding to this Attack Scenarios;
If alert event is not the event corresponding to attack step initial in Attack Scenarios, the then correlation rule according to record, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if it is present alert event is directly appended in this attack sequence;
Output device 24, is connected with described detecting device 23, for the attack sequence obtained is processed, the result obtained is exported as senior constant threat information.
Wherein, described system also includes:
Trigger device, it is connected with described detecting device and described recording equipment, for not being event corresponding to initial attack step in this Attack Scenarios at alert event, and when being also absent from incidence relation between the event recorded in the attack sequence corresponding to this Attack Scenarios, two attack steps for there is incidence relation in the attack step that recorded with same attack step set up incidence relation, adopt newly obtained incidence relation according to newly obtained correlation rule again, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if existed, then alert event is directly appended in this attack sequence.
Optionally, described detecting device also includes:
Acquisition module, when there is no correlation rule for particular attack step a certain in a certain Attack Scenarios with previous attack step or a rear attack step, if be detected that alert event have in this Attack Scenarios the event corresponding to previous attack step and a rear attack step, then obtain the time interval that the alert event corresponding to previous attack step and a rear attack step occurs;
Enquiry module, is connected with described acquisition module, for inquiring about the event belonging to this particular attack step in this time interval from the event of historical record;
More new module, is connected with described enquiry module, for, after described enquiry module finds the event of this particular attack step, the attack sequence of this Attack Scenarios being updated.
Below system provided by the invention is described further:
Fig. 3 is the structural representation of the detection system application example of senior constant threat provided by the invention.The present embodiment is the virtual bench system in other words of the method described in above-described embodiment, and the system in the present embodiment includes: be responsible for carrying out the IDS real-time detecting system of real-time intrusion detection according to the data message of actual acquisition;Store the APT Attack Scenarios storehouse of predefined event classification rule and APT Attack Scenarios;The APT attack sequence storehouse of the APT attack sequence current state that storage is currently in detection;Need to provide the streaming storage device of historical data according to intellectualized analysis platform;According to the historical data that streaming storage device provides, load up-to-date detection event and APT detecting and alarm that historical data is detected by feature again;Product platform one intellectualized analysis platform of system, the up-to-date event that being responsible for triggering association analysis function according to the APT Attack Scenarios preset and current network event also provides according to APT detecting and alarm carries out current event and carries out intellectual analysis with the attack sequence of storage in APT attack sequence storehouse, and the APT attack sequence in APT attack sequence storehouse is updated.Simultaneously to the assessment of each impending property of attack sequence output detections result.
Wherein, APT Attack Scenarios storehouse achieves event classification and the function of Attack Scenarios setting;IDS real-time detecting system achieves the function that network message carries out real-time intrusion detection as described in embodiment three;The rule association analysis as described in embodiment four and embodiment five of streaming storage device, APT attack sequence storehouse and intellectualized analysis platform functional realiey, APT attack sequence update and the function of threat assessment.
System embodiment provided by the invention, in real network environment, use IDS (intruding detection system) to carry out real-time intrusion detection, generate current network event, and judge whether to need historical data is carried out intellectual analysis in conjunction with event classification set in advance and APT Attack Scenarios.Set up the event correlation model that can recall for default APT Attack Scenarios, and be associated analyzing to the historical events of current detection event and storage with this model, with determine generation aggressive behavior whether there is dependency.And based on the threat degree threatening correlation attack sequence that coefficient judges that intellectual analysis obtains of the attack step in default Attack Scenarios, the single aggressive behavior association that will appear to threat degree very low becomes the high aggressive behavior sequence threatened.Real network data and event are carried out detection and intellectual analysis in real time based on the real-time power of test of IDS equipment and the related analysis technology that can recall by the present invention, it can be found that the APT meeting Attack Scenarios set in advance attacks, and can assess, according to the aggressive behavior detected, the threat degree that this attack sequence causes, thus the threat degree reflected to a certain extent under APT that may be present attack and current state reports user or manager, provide safeguard function for system.
The above; being only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, any those familiar with the art is in the technical scope that the invention discloses; change can be readily occurred in or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain described in claim.
Claims (4)
1. the detection method of a senior constant threat, it is characterized in that, the event correlation model that can recall is set up for default senior constant threat Attack Scenarios, and be associated analyzing to the historical events of current detection event and storage with this model, with determine generation aggressive behavior whether there is dependency, will appear to the very low single aggressive behavior association of threat degree and become the aggressive behavior sequence of high threat, including:
Obtain the attack step included by each Attack Scenarios of senior constant threat and for judging the correlation rule that before and after each attack step, whether attack step exists, wherein the corresponding multiple different events being capable of this attack step of each attack step;
Obtain the testing result of network intrusions, the alert event occurred in record network;
If alert event is the event in a certain Attack Scenarios corresponding to attack step, then trigger the testing process of senior constant threat, including:
If alert event is the event corresponding to attack step initial in Attack Scenarios, then the event in current network is preserved directly as a new attack sequence corresponding to this Attack Scenarios;
If alert event is not the event corresponding to attack step initial in Attack Scenarios, the then correlation rule according to record, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if it is present alert event is directly appended in this attack sequence;
If alert event is not initial event corresponding to attack step in this Attack Scenarios, and also it is absent from incidence relation between the event recorded in the attack sequence corresponding to this Attack Scenarios, is then that two attack steps that there is incidence relation in the attack step recorded with same attack step set up incidence relation;According to newly obtained correlation rule, it is judged that whether there is incidence relation between described alert event and the event recorded in the attack sequence corresponding to this Attack Scenarios, if it is present alert event is directly appended in this attack sequence;
The attack sequence obtained is processed, the result obtained is exported as senior constant threat information.
2. method according to claim 1, it is characterised in that the testing process triggering senior constant threat also includes:
If a particular attack step does not have correlation rule with previous attack step or a rear attack step in a certain Attack Scenarios, if be detected that alert event have in this Attack Scenarios the event corresponding to previous attack step and a rear attack step, then obtain the time interval that the alert event corresponding to previous attack step and a rear attack step occurs;
The event belonging to this particular attack step in this time interval is inquired about from the event of historical record;
If found, the attack sequence of this Attack Scenarios is updated.
3. the detection system of a senior constant threat, it is characterized in that, the event correlation model that can recall is set up for default senior constant threat Attack Scenarios, and be associated analyzing to the historical events of current detection event and storage with this model, with determine generation aggressive behavior whether there is dependency, will appear to the very low single aggressive behavior association of threat degree and become the aggressive behavior sequence of high threat, including:
Acquisition device, for obtaining attack step included by each Attack Scenarios of senior constant threat and for judging the correlation rule that before and after each attack step, whether attack step exists, the wherein corresponding multiple different events being capable of this attack step of each attack step;
Recording equipment, is connected with described acquisition device, for obtaining the testing result of network intrusions, and the alert event occurred in record network;
Detecting device, is connected with described recording equipment, for when alert event is event corresponding to attack step in a certain Attack Scenarios, triggering the testing process of senior constant threat, including:
If alert event is the event corresponding to attack step initial in Attack Scenarios, then the event in current network is preserved directly as a new attack sequence corresponding to this Attack Scenarios;
If alert event is not the event corresponding to attack step initial in Attack Scenarios, the then correlation rule according to record, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if it is present alert event is directly appended in this attack sequence;
Trigger device, it is connected with described detecting device and described recording equipment, for not being event corresponding to initial attack step in this Attack Scenarios at alert event, and when being also absent from incidence relation between the event recorded in the attack sequence corresponding to this Attack Scenarios, two attack steps for there is incidence relation in the attack step that recorded with same attack step set up incidence relation, further according to newly obtained correlation rule, judge whether there is incidence relation between the event recorded in the attack sequence corresponding to described alert event and this Attack Scenarios, if existed, then alert event is directly appended in this attack sequence;
Output device, is connected with described detecting device, for the attack sequence obtained is processed, the result obtained is exported as senior constant threat information.
4. system according to claim 3, it is characterised in that described detecting device also includes:
Acquisition module, when there is no correlation rule for particular attack step a certain in a certain Attack Scenarios with previous attack step or a rear attack step, if be detected that alert event have in this Attack Scenarios the event corresponding to previous attack step and a rear attack step, then obtain the time interval that the alert event corresponding to previous attack step and a rear attack step occurs;
Enquiry module, is connected with described acquisition module, for inquiring about the event belonging to this particular attack step in this time interval from the event of historical record;
More new module, is connected with described enquiry module, for, after described enquiry module finds the event of this particular attack step, the attack sequence of this Attack Scenarios being updated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210068888.3A CN103312679B (en) | 2012-03-15 | 2012-03-15 | The detection method of senior constant threat and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210068888.3A CN103312679B (en) | 2012-03-15 | 2012-03-15 | The detection method of senior constant threat and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103312679A CN103312679A (en) | 2013-09-18 |
| CN103312679B true CN103312679B (en) | 2016-07-27 |
Family
ID=49137465
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210068888.3A Expired - Fee Related CN103312679B (en) | 2012-03-15 | 2012-03-15 | The detection method of senior constant threat and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103312679B (en) |
Families Citing this family (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103905418B (en) * | 2013-11-12 | 2017-02-15 | 北京安天电子设备有限公司 | APT multi-dimensional detection and defense system and method |
| CN103607388B (en) * | 2013-11-18 | 2016-09-21 | 浪潮(北京)电子信息产业有限公司 | A kind of APT threat prediction method and system |
| CN103746991B (en) * | 2014-01-02 | 2017-03-15 | 曙光云计算技术有限公司 | Safety case investigation method and system in system for cloud computing |
| CN103957193A (en) * | 2014-04-04 | 2014-07-30 | 华为技术有限公司 | Client terminal, server and event type determining method |
| US10574675B2 (en) | 2014-12-05 | 2020-02-25 | T-Mobile Usa, Inc. | Similarity search for discovering multiple vector attacks |
| US10216938B2 (en) * | 2014-12-05 | 2019-02-26 | T-Mobile Usa, Inc. | Recombinant threat modeling |
| CN105491002A (en) * | 2015-06-19 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Advanced threat tracing method and system |
| CN105376245B (en) * | 2015-11-27 | 2018-10-30 | 杭州安恒信息技术有限公司 | A kind of detection method of rule-based APT attacks |
| CN110891048B (en) * | 2015-12-24 | 2021-09-03 | 华为技术有限公司 | Method, device and system for detecting terminal security condition |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际系统应用有限公司 | Association analysis method and association analysis system |
| CN105791264A (en) * | 2016-01-08 | 2016-07-20 | 国家电网公司 | Network security pre-warning method |
| CN107659543B (en) * | 2016-07-26 | 2020-12-01 | 北京计算机技术及应用研究所 | Protection method for APT (android packet) attack of cloud platform |
| CN108234426B (en) * | 2016-12-21 | 2021-08-03 | 中国移动通信集团安徽有限公司 | APT attack warning method and APT attack warning device |
| CN106612287B (en) * | 2017-01-10 | 2019-05-07 | 厦门大学 | A method for detecting persistent attacks on cloud storage systems |
| CN107483425B (en) * | 2017-08-08 | 2020-12-18 | 北京盛华安信息技术有限公司 | Composite attack detection method based on attack chain |
| CN107277065B (en) * | 2017-08-11 | 2019-12-17 | 厦门大学 | A Resource Scheduling Method for Detecting Advanced Persistent Threats Based on Reinforcement Learning |
| US10812510B2 (en) * | 2018-01-12 | 2020-10-20 | The Boeing Company | Anticipatory cyber defense |
| CN108616381B (en) * | 2018-02-28 | 2021-10-15 | 北京奇艺世纪科技有限公司 | Event correlation alarm method and device |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN109981587A (en) * | 2019-02-27 | 2019-07-05 | 南京众智维信息科技有限公司 | A kind of network security monitoring traceability system based on APT attack |
| CN110677287A (en) * | 2019-09-24 | 2020-01-10 | 杭州安恒信息技术股份有限公司 | Threat alarm generating method and device based on systematic attack |
| CN110868403B (en) * | 2019-10-29 | 2021-08-27 | 泰康保险集团股份有限公司 | Method and equipment for identifying advanced persistent Attack (APT) |
| CN110912884A (en) * | 2019-11-20 | 2020-03-24 | 深信服科技股份有限公司 | Detection method, detection equipment and computer storage medium |
| CN110830518B (en) * | 2020-01-08 | 2020-05-08 | 浙江乾冠信息安全研究院有限公司 | Traceability analysis method and device, electronic equipment and storage medium |
| CN111464507A (en) * | 2020-03-17 | 2020-07-28 | 南京航空航天大学 | An APT detection method based on network alarm information |
| CN111953684A (en) * | 2020-08-12 | 2020-11-17 | 珠海市鸿瑞信息技术股份有限公司 | APT attack analysis system in power network |
| CN112839039B (en) * | 2021-01-05 | 2022-02-08 | 四川大学 | Interactive automatic restoration method for network threat event attack scene |
| CN113472789B (en) * | 2021-06-30 | 2023-05-16 | 深信服科技股份有限公司 | Attack detection method, attack detection system, storage medium and electronic device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
| CN101272286A (en) * | 2008-05-15 | 2008-09-24 | 上海交通大学 | Network Intrusion Event Correlation Detection Method |
| CN101494535A (en) * | 2009-03-05 | 2009-07-29 | 范九伦 | Method for constructing network inbreak scene based on hidden Mrakov model |
| CN101599855A (en) * | 2008-11-10 | 2009-12-09 | 南京大学 | Compound Attack Correlation and Attack Scenario Construction Method Based on Attack Pattern Modeling |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
-
2012
- 2012-03-15 CN CN201210068888.3A patent/CN103312679B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101034974A (en) * | 2007-03-29 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
| CN101272286A (en) * | 2008-05-15 | 2008-09-24 | 上海交通大学 | Network Intrusion Event Correlation Detection Method |
| CN101599855A (en) * | 2008-11-10 | 2009-12-09 | 南京大学 | Compound Attack Correlation and Attack Scenario Construction Method Based on Attack Pattern Modeling |
| CN101494535A (en) * | 2009-03-05 | 2009-07-29 | 范九伦 | Method for constructing network inbreak scene based on hidden Mrakov model |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103312679A (en) | 2013-09-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103312679B (en) | The detection method of senior constant threat and system | |
| Maglaras et al. | Threats, protection and attribution of cyber attacks on critical infrastructures | |
| US20240154983A1 (en) | Network anomaly detection and profiling | |
| Yılmaz et al. | Attack detection/prevention system against cyber attack in industrial control systems | |
| Khosravi et al. | Alerts correlation and causal analysis for APT based cyber attack detection | |
| Derbyshire et al. | An analysis of cyber security attack taxonomies | |
| CN109889476A (en) | A kind of network safety protection method and network security protection system | |
| CN104811447A (en) | Security detection method and system based on attack association | |
| CN105721442A (en) | Spurious response system and method based on dynamic variation and network security system and method | |
| CN103856471A (en) | Cross-site scripting attack monitoring system and method | |
| CN104394015A (en) | Network security posture assessment method | |
| CN118174969B (en) | Data management method and system for network security test | |
| Awad et al. | Data leakage detection using system call provenance | |
| CN118862063A (en) | A security detection system, method, device and medium for a large model of government affairs industry | |
| CN114024740A (en) | A Threat Entrapment Method Based on Secret Sign Decoy | |
| Colbert et al. | A process-oriented intrusion detection method for industrial control systems | |
| CN111885061A (en) | Network attack detection method, device, equipment and medium | |
| Suo et al. | Research on the application of honeypot technology in intrusion detection system | |
| Zhao et al. | Research on effectiveness evaluation of the mission-critical system | |
| CN101252445A (en) | Integrated network safety managing method for WLAN | |
| CN106453235A (en) | Network security method | |
| Mills et al. | Using regression to predict potential insider threats | |
| KR20090115496A (en) | Real-time detection method and system of personal information leakage attempt through access pattern analysis | |
| CN107341396A (en) | Intrusion detection method, device and server | |
| CN109861865A (en) | A kind of alarm interlock method, device, system, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160727 Termination date: 20210315 |