CN113518067A - Security analysis method based on original message - Google Patents
Security analysis method based on original message Download PDFInfo
- Publication number
- CN113518067A CN113518067A CN202110322464.4A CN202110322464A CN113518067A CN 113518067 A CN113518067 A CN 113518067A CN 202110322464 A CN202110322464 A CN 202110322464A CN 113518067 A CN113518067 A CN 113518067A
- Authority
- CN
- China
- Prior art keywords
- analysis
- logs
- threat
- detection
- statistics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention aims to overcome the defects in the background technology, provides a security analysis method based on an original message, can simultaneously solve the self security problem of a device terminal in a network, and has quick and effective response. Meanwhile, the system can also record the whole process in time so as to facilitate later analysis and popularization of the solution. In order to achieve the technical effects, the invention adopts the following technical scheme: a safety analysis method based on original messages is used by matching with a probe arranged at an application end to carry IDS and WAF double engines, combines threat intelligence, malicious file analysis, WEBhell detection and abnormal behavior detection, supports traditional threat detection and advanced threat detection, and comprehensively improves the threat perception capability of users.
Description
Technical Field
The invention relates to the technical field of Internet of things security, in particular to a security analysis method based on an original message.
Background
With the continuous development of information technology, information security presents new challenges for security supervision departments, and the current information system security industry and information security laws and regulations and standards in China are imperfect, so that the work of domestic information security guarantee lags behind the development of information technology.
In order to improve the national information security guarantee capability, in 2015, 1 month, the public security department promulgates a 'notice on accelerating the construction of a propulsion network and an information security reporting mechanism' (No. 2015 21 public letter-security). Notification about accelerating the construction of a propulsion network and an information safety reporting mechanism requires the establishment of a provincial and municipal two-level network and an information safety information reporting mechanism, actively promotes the construction of a special mechanism, and establishes a network safety full-flow monitoring reporting means and an information reporting early warning and emergency handling system. And a network safety full-flow monitoring and reporting platform is definitely required to be established. The system realizes the functions of safety monitoring of important websites and online important information systems, online computer virus trojan propagation monitoring, report early warning, emergency disposal, situation analysis, safety event (accident) management, supervision and improvement and the like, and provides technical support for developing related work.
In contrast, in the prior art, an invention patent with a patent application number of cn201910407109.x, which is a method for detecting the threat of the internet of things terminal based on a probe technology, discloses a scheme, which includes that the acquisition and synthesis of the hardware fingerprint of the terminal are performed first; then, authenticating and accessing the terminal hardware fingerprint; and then, acquiring terminal information, analyzing the self safety problem of the terminal by the management platform, and finally issuing a safety early warning by the management platform, wherein the terminal executes a corresponding safety strategy. The method can simultaneously solve the self-safety problem of the equipment terminal, the terminal cloud interaction safety problem and the cloud self-safety problem in the Internet of things, can support various Internet of things special protocols, can realize automatic discovery and management of assets of the Internet of things, and provides a timely and dynamic defense mode.
However, as the demand of the client increases, the client expects to be able to increase the analysis capability of the security scene so as to cope with behaviors such as 0day and APT attacks which cannot be handled by the traditional security device; after a network attack event occurs, an attacker can be quickly positioned to plug the network attack event; and historical traffic data and pcap files can be traced, so that specific behaviors and processes of the hacker attack can be analyzed and restored. These functions are not available in the prior art.
Disclosure of Invention
The invention aims to overcome the defects in the background technology, provides a security analysis method based on an original message, can simultaneously solve the self security problem of a device terminal in a network, and has quick and effective response. Meanwhile, the system can also record the whole process in time so as to facilitate later analysis and popularization of the solution.
In order to achieve the technical effects, the invention adopts the following technical scheme: a safety analysis method based on original messages is matched with a probe arranged at an application end for use, and comprises the following steps:
A. after the probe acquires the message, starting an intrusion detection system and a WEB application firewall at the same time;
B. threat information comparison, WEBhell detection and malicious file or abnormal behavior analysis are sequentially carried out as detection means for detection;
C. carrying out study and judgment analysis on the detection result; if the analysis result is that the threat exists, entering the step D, otherwise ending the detection process;
D. the application end responds: starting a bypass blocking function, automatically blocking and starting a threat after an attack behavior is found;
E. logging the event flow into a log;
F. the safety management platform combines manual analysis with intelligent analysis, combines log information to formulate a safety strategy and sends the safety strategy to an application end;
G. and the application terminal updates the security policy and executes the security policy.
Preferably, the specific process of bypass blocking in step D is as follows: when a user accesses the server, the flow is mirrored to the probe, and if the characteristics in the flow hit the preset blocking rules, the probe sends a RST blocking message.
Preferably, the threat pcap packet and the metadata log are stored and associated with the alarm log in the analysis process of the judgment in the step C, so as to provide basic data for attack confirmation and judgment.
Preferably, the log in the step E includes common protocols and industrial control protocols, and the common protocol log: TCP flow logs, UDP flow logs, mail behavior logs, Telnet behavior logs, authentication logs, HTTP logs, domain name resolution logs, FTP access logs, mail logs and SSL logs; industrial control logs: goose logs, cop logs, Moubus logs. With the deeply analyzed data, the UTS can perform comprehensive threat detection, and the detection capability comprises threat intelligence detection, intrusion behavior detection, WEB attack detection, malicious file detection, DDOS detection and WEBhell detection.
Preferably, after the log obtained in step F is subjected to threat research and judgment, the attacker and the victim in the event are analyzed and counted to obtain threat statistics and associated statistics, and finally a high-risk event statistics, analysis and treatment suggestion is formed.
Preferably, the threat statistics comprise: aggressor statistics, victim statistics, malicious file statistics, threat event statistics, event distribution; the correlation analysis comprises the following steps: aggressor analysis, victim analysis, and behavioral analysis for are supported.
Preferably, the method further comprises the following steps: traffic trend, application composition, VPN composition.
Preferably, a user-defined sensitive information recognition engine is further arranged and used for detecting the sensitive information and using the sensitive information in combination with a service model of a user to early warn about service violation.
Such as the act of creating information leaks, illegal manipulation of databases, access to illegal websites, use of illegal communication tools.
Preferably, all original traffic is retained in the whole process, namely, the traffic is searched immediately, and no information is missed. An API may also be provided for query forensics.
The invention also comprises an electronic device used for storing and executing the security analysis method based on the original message.
Compared with the prior art, the invention has the following beneficial effects:
the invention carries IDS and WAF double engines, combines threat intelligence, malicious file analysis, WEBhell detection and abnormal behavior detection, supports traditional threat detection and advanced threat detection, and comprehensively improves the threat perception capability of users.
The method supports full-flow collection and storage, and a user can retrieve metadata related to the threat to acquire context information of the attack after finding the threat, and simultaneously supports extraction of the related pcap as a material evidence. After the threat is found, an attacker can be automatically blocked according to a strategy, a one-key blocking interface is provided for the outside, and the platform can also immediately respond and handle. The super integration and seamless butt joint of a third-party platform reduce the construction cost.
Drawings
Fig. 1 is a schematic flow chart of a method for detecting the threat of the internet of things terminal based on the probe technology.
Detailed Description
The invention will be further elucidated and described with reference to the embodiments of the invention described hereinafter.
As shown in fig. 1, a security analysis method based on an original message is used in cooperation with a probe provided at an application end, and includes the following steps:
A. after the probe acquires the message, starting an intrusion detection system and a WEB application firewall at the same time;
B. threat information comparison, WEBhell detection and malicious file or abnormal behavior analysis are sequentially carried out as detection means for detection;
C. carrying out study and judgment analysis on the detection result; if the analysis result is that the threat exists, entering the step D, otherwise ending the detection process; and storing the threat pcap packet and the metadata log in the studying and judging analysis process, associating the threat pcap packet and the metadata log with the alarm log, and providing basic data for attack confirmation and studying and judging.
D. The application end responds: starting a bypass blocking function, automatically blocking and starting a threat after an attack behavior is found; the specific process is as follows: when a user accesses the server, the flow is mirrored to the probe, and if the characteristics in the flow hit the preset blocking rules, the probe sends a RST blocking message.
E. Logging the event flow into a log; the log comprises common protocols and industrial control protocols, and the common protocol log comprises the following steps: TCP traffic log, UDP traffic log, mail behavior log, Telnet behavior log, authentication log, HTTP log, domain name resolution log, FTP access log, mail log, SSL log (by importing SSL certificates); industrial control logs: goose logs, cop logs, Moubus logs. With the deeply analyzed data, the UTS can perform comprehensive threat detection, and the detection capability comprises threat intelligence detection (lost asset detection), intrusion behavior detection, WEB attack detection, malicious file detection, DDOS detection and WEBhell detection.
The threat statistics include: aggressor statistics, victim statistics, malicious file statistics, threat event statistics, event distribution; the correlation analysis comprises the following steps: aggressor analysis, victim analysis, and behavioral analysis for are supported. The method also comprises the following steps of flow statistics: traffic trend, application composition, VPN composition.
F. The safety management platform combines manual analysis with intelligent analysis, combines log information to formulate a safety strategy and sends the safety strategy to an application end; after the log is obtained and the threat is researched and judged, the attacker and the victim in the event are analyzed and counted, threat statistics and associated statistics are obtained, and finally high-risk event statistics, analysis and treatment suggestions are formed.
G. And the application terminal updates the security policy and executes the security policy.
And the user-defined sensitive information recognition engine is also arranged and used for detecting the sensitive information and using the sensitive information in combination with the service model of the user to early warn the violation of the service. Such as the act of creating information leaks, illegal manipulation of databases, access to illegal websites, use of illegal communication tools.
All original flow is reserved in the whole process, namely the flow is searched immediately, and no information is omitted. An API may also be provided for query forensics.
Example 1: abnormal flow audit scene: the following steps are performed in sequence:
A. the probe carries out full-flow collection, and after the message is acquired, an intrusion detection system and a WEB application firewall are started at the same time;
B. and carrying out intrusion behavior detection, WEB application detection, threat intelligence detection, malicious file detection, webshell detection, DDOS detection and abnormal behavior detection on the data stream sequentially through threat intelligence comparison.
C. Carrying out study and judgment analysis on the detection result; and if the analysis result is safe, directly recording a log. Otherwise, the metadata, pcap, can be analyzed retrospectively, and:
and D, the application terminal responds: starting a bypass blocking function, automatically blocking and starting a threat after an attack behavior is found; the specific process is as follows: when a user accesses the server, the flow is mirrored to the probe, and if the characteristics in the flow hit the preset blocking rules, the probe sends a RST blocking message.
E. And D, recording the event flow in the step D into a log, and calling out evidence collection at any time.
Example 2: situation awareness/safe operation/data governance scenarios. The following steps are performed in sequence:
A. the probe carries out full-flow collection, and after the message is acquired, an intrusion detection system and a WEB application firewall are started at the same time;
B. and carrying out intrusion behavior detection, WEB application detection, threat intelligence detection, malicious file detection, webshell detection, DDOS detection and abnormal behavior detection on the data stream sequentially through threat intelligence comparison.
C. Carrying out study and judgment analysis on the detection result; and if the analysis result is safe, directly recording a log. Otherwise, the metadata, pcap, can be analyzed retrospectively, and:
and D, the application terminal responds: and starting a bypass blocking function to block the attack IP and the malicious domain name flow.
E. And D, recording the event flow in the step D into a log, and calling out evidence collection at any time.
F. The safety management platform combines manual analysis with intelligent analysis, combines log information to formulate a safety strategy and sends the safety strategy to an application end; after the log is obtained and the threat is researched and judged, the attacker and the victim in the event are analyzed and counted, threat statistics and associated statistics are obtained, and finally high-risk event statistics, analysis and treatment suggestions are formed.
G. And the application terminal updates the security policy and executes the security policy.
In order to implement the invention, the invention also comprises an electronic device used for storing and executing the security analysis method based on the original message.
The invention is used as a super-fusion probe, not only fuses the detection capability of IDS, WAF, threat intelligence, malicious files and other systems, but also can be connected with a third party SIEM platform, thereby meeting the requirement of users on multi-period construction and avoiding the need of purchasing a sheet detection type hardware device for multiple times. Besides, the software deployment is supported by the hardware version, and a user can self-configure hardware resources, so that the safety construction capability of the user is greatly improved.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.
Claims (10)
1. A safety analysis method based on original messages is matched with a probe arranged at an application end for use, and is characterized by comprising the following steps:
A. after the probe acquires the message, starting an intrusion detection system and a WEB application firewall at the same time;
B. threat information comparison, WEBhell detection and malicious file or abnormal behavior analysis are sequentially carried out as detection means for detection;
C. carrying out study and judgment analysis on the detection result; if the analysis result is that the threat exists, entering the step D, otherwise ending the detection process;
D. the application end responds: starting a bypass blocking function, automatically blocking and starting a threat after an attack behavior is found;
E. logging the event flow into a log;
F. the safety management platform combines manual analysis with intelligent analysis, combines log information to formulate a safety strategy and sends the safety strategy to an application end;
G. and the application terminal updates the security policy and executes the security policy.
2. The security analysis method based on the original packet according to claim 1, wherein the specific flow of the bypass blocking in step D is as follows: when a user accesses the server, the flow is mirrored to the probe, and if the characteristics in the flow hit the preset blocking rules, the probe sends a RST blocking message.
3. The raw message-based security analysis method of claim 1, wherein the threat pcap packet and the metadata log are stored and associated with the alarm log during the analysis process of the analysis in step C.
4. The security analysis method according to claim 1, wherein the log in step E includes a common protocol and an industrial control protocol, and the common protocol log includes: TCP flow logs, UDP flow logs, mail behavior logs, Telnet behavior logs, authentication logs, HTTP logs, domain name resolution logs, FTP access logs, mail logs and SSL logs; industrial control logs: goose logs, cop logs, Moubus logs.
5. The security analysis method based on the original message according to claim 1, wherein after the log obtained in step F is studied and judged for threats, the attacker and the victim in the event are analyzed and counted to obtain threat statistics and association statistics, and finally high-risk event statistics, analysis and handling suggestions are formed.
6. The security analysis method based on original packets according to claim 5, wherein the threat statistics includes: aggressor statistics, victim statistics, malicious file statistics, threat event statistics, event distribution; the correlation analysis comprises the following steps: aggressor analysis, victim analysis, and behavioral analysis for are supported.
7. The security analysis method based on the original message according to claim 6, further comprising traffic statistics: traffic trend, application composition, VPN composition.
8. The security analysis method based on the original message according to any one of claims 1 to 7, characterized in that a custom sensitive information recognition engine is further provided for detecting sensitive information and using the sensitive information in combination with a service model of a user to warn against a service violation.
9. The security analysis method based on raw messages according to any of claims 1 to 7, characterized in that all raw traffic is retained in the whole process, and an API is provided for query and forensics.
10. An electronic device, characterized in that: for storing and executing the method for raw message based security analysis according to any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110322464.4A CN113518067A (en) | 2021-03-25 | 2021-03-25 | Security analysis method based on original message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110322464.4A CN113518067A (en) | 2021-03-25 | 2021-03-25 | Security analysis method based on original message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113518067A true CN113518067A (en) | 2021-10-19 |
Family
ID=78061305
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110322464.4A Pending CN113518067A (en) | 2021-03-25 | 2021-03-25 | Security analysis method based on original message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113518067A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115484089A (en) * | 2022-09-09 | 2022-12-16 | 绿盟科技集团股份有限公司 | Flow storage method and device and electronic equipment |
| CN115514583A (en) * | 2022-11-21 | 2022-12-23 | 北京长亭未来科技有限公司 | Flow acquisition and blocking method, system, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN106961450A (en) * | 2017-05-24 | 2017-07-18 | 深信服科技股份有限公司 | Safety defense method, terminal, cloud server and safety defense system |
| CN110855697A (en) * | 2019-11-20 | 2020-02-28 | 国网湖南省电力有限公司 | Active defense methods for cybersecurity in the power industry |
-
2021
- 2021-03-25 CN CN202110322464.4A patent/CN113518067A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN106961450A (en) * | 2017-05-24 | 2017-07-18 | 深信服科技股份有限公司 | Safety defense method, terminal, cloud server and safety defense system |
| CN110855697A (en) * | 2019-11-20 | 2020-02-28 | 国网湖南省电力有限公司 | Active defense methods for cybersecurity in the power industry |
Non-Patent Citations (1)
| Title |
|---|
| 铭冠网安: ""绿盟UTS综合威胁探针"", 《HTTP://WWW.E-BACKUP.CN/PROJECT/%E7%BB%BF%E7%9B%9FUTS%E7%BB%BC%E5%90%88%E5%A8%81%E8%83%81%E6%8E%A2%E9%92%88》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115484089A (en) * | 2022-09-09 | 2022-12-16 | 绿盟科技集团股份有限公司 | Flow storage method and device and electronic equipment |
| CN115514583A (en) * | 2022-11-21 | 2022-12-23 | 北京长亭未来科技有限公司 | Flow acquisition and blocking method, system, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2715522B1 (en) | Using dns communications to filter domain names | |
| CN115134099B (en) | Network attack behavior analysis method and device based on full flow | |
| CN108111487B (en) | Safety monitoring method and system | |
| CN108134761B (en) | APT detection system and device | |
| CN111245793A (en) | Anomaly analysis method and device for network data | |
| CN106650436B (en) | A security detection method and device based on local area network | |
| TWI407328B (en) | Network virus protection method and system | |
| CN117527412B (en) | Data security monitoring method and device | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN105791323A (en) | Novel defending method and device for unknown malicious software | |
| CN111783092A (en) | Malicious attack detection method and system for communication mechanism between Android applications | |
| CN113518067A (en) | Security analysis method based on original message | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN101453363A (en) | Network intrusion detection system | |
| CN117201062A (en) | Network security perception system, method, equipment and storage medium | |
| CN117955675A (en) | Network attack defending method and device, electronic equipment and storage medium | |
| CN119232440A (en) | A network attack prevention method, device, terminal equipment and storage medium | |
| CN115913599A (en) | Method and device for detecting lost host | |
| CN118200022B (en) | Data encryption method and system based on malicious attacks on big data networks | |
| CN116319048B (en) | A method to reduce the false alarm rate of IDPS | |
| CN120281522A (en) | Computer network safety protection method and system | |
| Nurdin et al. | Network Forensic on Distributed Denial of Service Attacks using National Institute of Standards and Technology Method | |
| Nelson | Evaluating the Efficiency and Reliability of Snort as an Opensource Intrusion Detection System | |
| CN116455650A (en) | Security protection method and system based on behavior characteristics | |
| CN120429188A (en) | A closed-loop management system for oilfield network security incidents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211019 |