Nothing Special   »   [go: up one dir, main page]

CN107172022A - APT threat detection method and system based on intrusion feature - Google Patents

APT threat detection method and system based on intrusion feature Download PDF

Info

Publication number
CN107172022A
CN107172022A CN201710303758.6A CN201710303758A CN107172022A CN 107172022 A CN107172022 A CN 107172022A CN 201710303758 A CN201710303758 A CN 201710303758A CN 107172022 A CN107172022 A CN 107172022A
Authority
CN
China
Prior art keywords
module
evidence
data
behavior
storehouse
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710303758.6A
Other languages
Chinese (zh)
Other versions
CN107172022B (en
Inventor
彭光辉
屈立笳
陶磊
苏礼刚
林伟
黄丽洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd
Original Assignee
CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd filed Critical CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd
Priority to CN201710303758.6A priority Critical patent/CN107172022B/en
Publication of CN107172022A publication Critical patent/CN107172022A/en
Application granted granted Critical
Publication of CN107172022B publication Critical patent/CN107172022B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to the APT threat detection method based on intrusion feature and system, the APT threat detection method based on intrusion feature, it includes:S1:Knowledge base modeling is carried out to intrusion feature field;S2:Gather behavioral data, including collection Host behavior data and collection network behavior data;S3:Analysis is associated to the result for gathering behavioral data;S4:Saving from damage for evidence, restores the risk of attacks behavior preservation of evidence;S5:The evidence is presented.APT threat detecting system based on intrusion feature is presented module, behavior evidence association analysis module, base module, preservation of evidence module and evidence-gathering module by evidence and constituted.The beneficial effects of the invention are as follows:The invasion that APT attacks promoter is blocked from source, realization prevents trouble before it happens for intrusion feature, inexpensive, efficient to build, and gatherer process is hidden, and fully transparent, network is free of a burden, evidence is presented easy to use, simple to operate.

Description

APT threat detection method and system based on intrusion feature
Technical field
The present invention relates to APT threat detection technique field, and in particular to a kind of APT threat detection side based on intrusion feature Method and system.
Background technology
Finance, government are the main target industry of APT attacks, respectively up to 84% and 77%.Reached followed by telecommunications 66%, army reaches 64%, industrial enterprise 54%, and other account for 14%.Email and social network sites mobilize APT to attack as hacker Topmost approach, Email is utilized up to 68%, and social network sites are utilized up to 65%.Email and social network sites are very To having surmounted traditional assault approach such as virus, malicious link, fishing website.
We can see in recent years with the prevalence of social networks by this trend, the traditional security protection of enterprise Means can not effectively carry out management and control to social networks, and Email is exactly the severely afflicated area of enterprise security protection all the time. Except lacking effective security management and control strategy, the awareness of safety of employee is just particularly important in this respect.Email and The operation of social network sites belongs to employee individual, and attacker also exactly sees chance in this, for safety in enterprise The personal Email of the thin employee of consciousness, social network sites carry out infiltration as starting with, and the server of enterprise is invaded step by step And network.
Why APT attacks, which allow, is under fire difficult to protect, and its main cause is that its unique attack pattern and means are difficult To detect.APT attacks the big secret worry as information security, and the strick precaution of this kind of threat must be dissolved into a bigger monitoring And in preventative strategies, and integrate existing cyber-defence.Therefore, how user strengthens taking precautions against APT attacks with entering if focusing more on Rank threatens, avoids attack destruction network and leakage sensitive information, more can completely play the security protection product that user has invested And technology.
By the strick precaution APT attack technology means of the domestic and international main flow at present of investigation, the user for having 77% thinks abnormality detection side Case is maximally efficient.In addition, sandbox scheme has 69% user's selection, full flow audit program has 66% user's selection, based on not Know that Malicious Code Detection has 55% user's selection.
The content of the invention
It is an object of the invention to overcome the deficiencies of the prior art and provide a kind of APT threat detection based on intrusion feature Method and system, realizes and the invasion that APT attacks promoter is blocked from source, reach inexpensive, efficient construction object.
The purpose of the present invention is achieved through the following technical solutions:A kind of APT threat detection based on intrusion feature Method, its process is:
S1:Knowledge base modeling is carried out to intrusion feature field;
S2:Gather behavioral data, including collection Host behavior data and collection network behavior data, described collection Host behavior Data include gathering into/thread information record, port information record, the operation note of data in magnetic disk, system registry information change More record, terminal system Back ground Information are more recorded, peripheral apparatus is connected and data transfer record and third party application information Record, described collection network behavior data will carry out key words sorting to network behavior first, then carry out network behavior data Reduction, and record, the O&M information on services of tracking network system and external connection information, finally save the data in local;
S3:Analysis is associated to the result for gathering behavioral data, attack process is reconstructed first, main frame and net will be respectively derived from The behavioral data of network is associated analysis with the logical condition set;
S4:Saving from damage for evidence, restores the risk of attacks behavior preservation of evidence, forms the complete evidence for accident;
S5:The evidence is presented.
APT intrusion features are mail and social network sites.
Knowledge base modeling uses multidimensional heterogeneous data sources integration and Integrated Models, realizes and the data source of various isomeries is carried out It is comprehensive, integrated, the efficiency of analysis with the appropriate data mining algorithm of dynamic call, can be improved, its main design idea is:
A. unified Knowledge Representation Method is used:The form of the data of internet includes the data of structuring, semi-structured number According to non-structured data.Structuring only accounts for 10%, and remaining 90% is all semi-structured and non-structured data, with XML includes the expression of data format, knowledge model and semantic metadata as the basic storage form of data, in a collaboration Platform on, can be across the integrated multiple heterogeneous data sources of Internet and Intranet;
B. protocol conversion:The data that system themselves capture equipment is gathered are changed in real time, and according to protocol class storehouse, identification The protocol type of data, is then saved in database.To by other monitoring devices(Such as intrusion detection, fire wall, content auditing Deng)The data being collected into, the conversion and convergence of data are realized in real-time or non real-time mode;
C. dynamic load algorithm:Each rule can be dynamically associated with multiple particular analysis objects, dynamic load algorithm Data are periodically obtained from data source according to the data extraction time of rule, data are stored in case database.And for The data of presence do not do any extraction then.
Knowledge base includes:Put on record table, mail features storehouse, social platform feature database, inner-mesh network data flow of user profile is special Levy storehouse, user behavior feature database.
Network behavior uses the data distribution technology using CIP and SIP as foundation, supports quick section for carrying out big data Take, shunt and reduction;Improved AC-BM algorithms are used in keyword match technique, search efficiency is improved;Using efficient negative Equalization algorithm is carried, the load balancing at catenet center is realized;Data between different main frames are carried out using node detection mode Exchange and communicate, improve the overall throughput of system.
Improved AC-BM algorithms are BMH2 algorithms, if character set is ∑, with pattern=" string search " Exemplified by, there is character set A1 `t', `i', `n', `g', ` in pattern in the character in ∑ , there is character set A2 twice or more than twice={ `s ', `r'} go out in 0'`e', `a', `c', `h'} Existing 0 time character set A0=∑-A1-A2.If being inspired with text [k], BMH algorithms be actually by pattern most The text [k] once occurred afterwards is matched again after being alignd with the text [k] in text.Therefore as text [k] ∈ A0, sweep Ultimate range m (modal length) can be moved forward by retouching the pointer of text.This paper basic point of departure is to allow text pointer can Ultimate range m is moved forward with higher probability.Assuming that can be by the text [k] of second from the bottom appearance in pattern and text Start a new wheel matching after text [k] alignment in this, then as text [k] ∈ (A0 ∪ A1), text pointer is all Ultimate range m can be moved forward, and as text [k] ∈ A2, the displacement of text pointer can also be improved.Than If `s' spacing in pattern string and `r' spacing are respectively 7 and 8, correspondingly, the displacement of text pointer will increase respectively 7 and 8.
Therefore, one newSkip array of increase, if the number of times that character ch occurs in pattern string pattern is 0 or 1, Then newSkip [ch]=m;If what character ch occurred in pattern is more than or equal to 2, note f represents that ch falls in pattern The position (subscript is since 0) of second of appearance is counted, then newSkip [ch]=m-f -1.In addition, defining preChar arrays, such as Fruit character ch finally appears in pattern [e] in pattern string pattern, then preChar [ch]=pattern [e-1]; If character ch did not occur in pattern, preChar [ch]=- 1.When pattern [0] only goes out in pattern string When existing one time, because pattern [0] is above without character, therefore newSkip [pattern [0]] is individually entered as into m-1. The length of newSkip arrays and preChar arrays is identical with skip arrays, is the number of element in character set.If ASCII Code, then length is 256.
When matching starts to compare text [k-m+1 ... k] and pattern [0 ... m-1], it is examined in from right to left text[ k] …text[k-m+1].If it find that mismatching, then compare text [k-1] and preChar [text [k]].When text[ k -1] !During=preChar [text [k]], text pointer is entered as again k+newSkip [text [ k]];Otherwise text pointer is entered as to k+skip [text [k]] again.In fact, when text [k] does not appear in pattern string When middle, preChar [text [k]] can be initialized as any value.Because now skip [text [k]] and newSkip [text [k]] value be m, no matter text [k -1] and preChar [text [k]] value it is whether equal, text pointer all will weight Newly it is entered as k+m.
BMH2 algorithms obtain higher matching efficiency by improving the average moving distance of pattern string.Work as pattern string In do not have identical characters or identical characters spacing it is larger when, BMH2 algorithms can obtain more preferable matching efficiency.
The object of network behavior collection includes mail data collection, the collection of social platform application data, the Intranet transmission number of plies According to stream collection, database protocol data acquisition, remote control protocol data acquisition.
Threat detection method using protocal analysis with transmission flow analytical technology, in important operation system transmit flow and Application layer protocol is analyzed and researched, and analyzes conversation procedure, the session characteristics of these agreements, grasps its user behavior, realization pair The preservation of evidence of information system external connection behavior and the detection of abnormal data.
Evidence, which is presented, uses two kinds of different modes of chart and list.The inquiry of chart is using drilling through mode, from totality to thin Section, layer by layer deeply.List provides query composition, and all user behaviors logs and the artificial combination for studying and judging daily record offer many condition are looked into Inquiry mode.Including behavior, object of action, specific IP etc..It is easy to use, it is simple to operate, facilitate user to grasp overall behavior Situation and tracking to APT attacks are traced to the source.
Association analysis is using the data management based on case and Knowledge Discovery Model CDMKDM.The model can realize to from The a large amount of firsthand information being collected on network, which arrange, merges filing, extracts wherein interesting knowledge and information, and press Business need according to real work sets up implicit incidence relation to relevant information there is provided intuitively knowledge representation mode, with auxiliary User of service is helped to make full use of network data to carry out decision-making.
Detection method also includes the information classification of subject-oriented, for collecting the data mining part with backstage, event point Class is that under prescribed conditions, data are classified, using sorting technique, and alert event can be classified automatically, so that Realize the confirmation of anomalous event.
Detection method also includes affair clustering, carries out analysis cluster to all kinds of evidences, realizes the dynamic of all kinds of security incidents Perceive, affair clustering is under the conditions of unsupervised, according to the different characteristic of data, to be divided into different data class.It Purpose is that distance is as small as possible between making to belong to same category of individual, and it is different classes of on individual between distance as far as possible Greatly.In the evidence-obtaining system based on Initiative Defense, by cluster, the alert event of agglomerating appearance can be analyzed, note abnormalities rule Rule, so as to produce warning information.
A kind of APT threat detecting system based on intrusion feature, it includes:Module, the association point of behavior evidence is presented in evidence Analyse module, base module, preservation of evidence module and evidence-gathering module, described behavior evidence association analysis module, knowledge Library module, preservation of evidence module are presented module with evidence respectively and are connected;Described behavior evidence association analysis module and knowledge base Module is connected, and described base module is connected with preservation of evidence module;Described knowledge base, preservation of evidence module respectively with card Connected according to collection module.
Module, which is presented, in evidence includes behavior evidence presentation module, evidence assistant analysis module and behavioral agent confirmation of responsibility mould Block, described evidence is presented module and is connected with evidence assistant analysis module, described evidence assistant analysis module and behavioral agent Confirmation of responsibility module is connected;
Behavior evidence association analysis module includes host service function behavioral module, network service behavioral module, business conduct module, remote Journey service behavior module and relating module, described host service function behavioral module, network service behavioral module, business conduct module It is connected respectively with relating module with remote service behavioral module;
Base module is put on record storehouse and user security demand storehouse, threat modeling storehouse, behaviorist risk evaluation criteria including user profile Storehouse, regulation and regulations storehouse and evidence collection policy library, the first end in described threat modeling storehouse and behaviorist risk evaluation criteria storehouse First end put storehouse on record with user profile respectively and user security demand storehouse is connected, second end in described threat modeling storehouse and method Rule and the connection of regulations storehouse first end, second end in described behaviorist risk evaluation criteria storehouse connect with regulation and regulations storehouse first end Connect, described regulation and the end of regulations storehouse second is connected with evidence collection policy library;
Preservation of evidence module includes evidence module, codified processing module, raw data module, technicalization processing module and data Memory module, described data memory module is connected with raw data module first end, affiliated and technicalization processing module first End and codified processing module first end are connected with the end of raw data module second respectively, affiliated and codified processing module second End is connected with evidence module;
Evidence-gathering module includes Host behavior acquisition module, network behavior acquisition module and all kinds of servers, main frame and equipment, Described Host behavior acquisition module and network behavior acquisition module are connected with all kinds of servers, main frame and equipment respectively.
Module, behavior evidence association analysis module, base module, preservation of evidence module and evidence is presented in the system evidence Collection module is connected using Intranet technologies.
Module, behavior evidence association analysis module, base module, preservation of evidence module and card is presented in the evidence of the system Carried out according to data transfer between collection module using cipher mode, including pass through user authentication and rights management.Described evidence Collection module gathers the data of each collecting zone, during collecting zone can be the webmaster of Back ground Information network and important information system The heart.
Behavior evidence association analysis module is associated analysis to the data in front-end data collection module, and according to data Content, to proof data classify.
Preservation of evidence module generates network attack and destructive insident data record.
Evidence is presented module and is mainly all kinds of inquiry/management terminals.Module is presented according to using the need for main body in evidence, raw Into all kinds of forms and analysis report, the friendly interface queries data warehouse content of module is presented in evidence, and realizes that session is reset, Each platform management is safeguarded, such as backs up, delete.
During system operation, module, behavior evidence association analysis module, base module, preservation of evidence module is presented in evidence The connection of dynamic, high speed is kept with evidence-gathering module, on the one hand, the equipment of evidence areas is by collector from the rule of platform Storehouse obtains rule, and by gathered data dynamical save into platform, and realize alarm;On the other hand, User identification mechanism is received The inquiry of each equipment of customer analysis platform/there is provided data analysis or alteration ruler service for management request.
The beneficial effects of the invention are as follows:
1)Individual Internet Access behavioral data analysis mining is started with inside under fire organization, identifies possible spear type fishing Attack, spoof attack, block the invasion that APT attacks promoter from source;
2)Prevented trouble before it happens before APT attacks are initiated for intrusion feature, reach inexpensive, efficient construction object;
3)Gatherer process is hidden, fully transparent, and burden is not caused to network, does not influence other network equipments to run;
4)Evidence is presented easy to use, simple to operate, facilitates user to grasp overall behavior situation and the tracking to APT attacks Trace to the source.
Brief description of the drawings
Fig. 1 is the inventive method flow chart;
Fig. 2 is present system block diagram;
Fig. 3 is business process map of the present invention;
Fig. 4 is present system Organization Chart.
Embodiment
Technical scheme is described in further detail with reference to specific embodiment, but protection scope of the present invention is not It is confined to as described below.
Embodiment 1
A kind of APT threat detection method based on intrusion feature as shown in Figure 1, it includes:
S1:Knowledge base modeling is carried out to intrusion feature field;
S2:Gather behavioral data, including collection Host behavior data and collection network behavior data, described collection Host behavior Data include gathering into/thread information record, port information record, the operation note of data in magnetic disk, system registry information change More record, terminal system Back ground Information are more recorded, peripheral apparatus is connected and data transfer record and third party application information Record, described collection network behavior data will carry out key words sorting to network behavior first, then carry out network behavior data Reduction, and record, the O&M information on services of tracking network system and external connection information, finally save the data in local;
S3:Analysis is associated to the result for gathering behavioral data, attack process is reconstructed first, main frame and net will be respectively derived from The behavioral data of network is associated analysis with the logical condition set;
S4:Saving from damage for evidence, restores the risk of attacks behavior preservation of evidence, forms the complete evidence for accident;
S5:The evidence is presented.
APT intrusion features are mail and social network sites.
Knowledge base modeling uses multidimensional heterogeneous data sources integration and Integrated Models.Realize and the data source of various isomeries is carried out It is comprehensive, integrated, the efficiency of analysis with the appropriate data mining algorithm of dynamic call, can be improved, its main design idea is:
A. unified Knowledge Representation Method is used:The form of the data of internet includes the data of structuring, semi-structured number According to non-structured data.Structuring only accounts for 10%, and remaining 90% is all semi-structured and non-structured data, with XML includes the expression of data format, knowledge model and semantic metadata as the basic storage form of data, in a collaboration Platform on, can be across the integrated multiple heterogeneous data sources of Internet and Intranet;
B. protocol conversion:The data that system themselves capture equipment is gathered are changed in real time, and according to protocol class storehouse, identification The protocol type of data, is then saved in database.To by other monitoring devices(Such as intrusion detection, fire wall, content auditing Deng)The data being collected into, the conversion and convergence of data are realized in real-time or non real-time mode;
C. dynamic load algorithm:Each rule can be dynamically associated with multiple particular analysis objects, dynamic load algorithm Data are periodically obtained from data source according to the data extraction time of rule, data are stored in case database.And for The data of presence do not do any extraction then.
Knowledge base includes:Put on record table, mail features storehouse, social platform feature database, inner-mesh network data flow of user profile is special Levy storehouse, user behavior feature database.
Network behavior uses the data distribution technology using CIP and SIP as foundation, supports quick section for carrying out big data Take, shunt and reduction;Improved AC-BM algorithms are used in keyword match technique, search efficiency is improved;Using efficient negative Equalization algorithm is carried, the load balancing at catenet center is realized;Data between different main frames are carried out using node detection mode Exchange and communicate, improve the overall throughput of system.
The object of network behavior collection includes mail data collection, the collection of social platform application data, the Intranet transmission number of plies According to stream collection, database protocol data acquisition, remote control protocol data acquisition.
Threat detection method using protocal analysis with transmission flow analytical technology, in important operation system transmit flow and Application layer protocol is analyzed and researched, and analyzes conversation procedure, the session characteristics of these agreements, grasps its user behavior, realization pair The preservation of evidence of information system external connection behavior and the detection of abnormal data.
Evidence, which is presented, uses two kinds of different modes of chart and list.The inquiry of chart is using drilling through mode, from totality to thin Section, layer by layer deeply.List provides query composition, and all user behaviors logs and the artificial combination for studying and judging daily record offer many condition are looked into Inquiry mode.Including behavior, object of action, specific IP etc..It is easy to use, it is simple to operate, facilitate user to grasp overall behavior Situation and tracking to APT attacks are traced to the source.
Association analysis is using the data management based on case and Knowledge Discovery Model CDMKDM.The model can realize to from The a large amount of firsthand information being collected on network, which arrange, merges filing, extracts wherein interesting knowledge and information, and press Business need according to real work sets up implicit incidence relation to relevant information there is provided intuitively knowledge representation mode, with auxiliary User of service is helped to make full use of network data to carry out decision-making.
As shown in figure 3, a kind of APT threat detection method operation flow based on intrusion feature is to pass through mail and social network Domain knowledge base of standing is modeled, and is modeled for user's inner-mesh network data flow white list, will be respectively derived from the row of main frame and network Analysis is associated with the logical condition set for data, the risk of attacks behavior preservation of evidence is restored, is formed for accident Simultaneously the evidence is presented in complete evidence.Detection method also includes the information classification of subject-oriented, for collecting the data with backstage Part is excavated, event category is that under prescribed conditions, data are classified, using sorting technique, and alert event can be entered The automatic classification of row, so as to realize the confirmation of anomalous event.For example, in application layer evidence analysis, can be according to port numbers, should It is divided into that HTTP is up with layer protocol, HTTP is descending, sends mail, receives mail etc..According to the condition code of every kind of application, some Agreement can also be segmented, such as HTTP is up be divided into log-on message, BBS, Web chatroom, WebMail.Grader is realized Key technology be text representation, participle, feature extraction and classifying algorithm.This project take classics vector space model and to The method of the cosine value of amount calculates the similarity between every document and the demand of user.
Detection method also includes affair clustering, carries out analysis cluster to all kinds of evidences, realizes the dynamic of all kinds of security incidents Perceive, affair clustering is under the conditions of unsupervised, according to the different characteristic of data, to be divided into different data class.It Purpose is that distance is as small as possible between making to belong to same category of individual, and it is different classes of on individual between distance as far as possible Greatly.In the evidence-obtaining system based on Initiative Defense, by cluster, the alert event of agglomerating appearance can be analyzed, note abnormalities rule Rule, so as to produce warning information.
As shown in Fig. 2 a kind of APT threat detecting system based on intrusion feature, it includes:
Module, behavior evidence association analysis module, base module, preservation of evidence module and evidence-gathering module is presented in evidence, Described behavior evidence association analysis module, base module, preservation of evidence module are presented module with evidence respectively and are connected;It is described Behavior evidence association analysis module be connected with base module, described base module is connected with preservation of evidence module;Institute Knowledge base, the preservation of evidence module stated are connected with evidence-gathering module respectively.
Module, which is presented, in evidence includes behavior evidence presentation module, evidence assistant analysis module and behavioral agent confirmation of responsibility mould Block, described evidence is presented module and is connected with evidence assistant analysis module, described evidence assistant analysis module and behavioral agent Confirmation of responsibility module is connected;
Behavior evidence association analysis module includes host service function behavioral module, network service behavioral module, business conduct module, remote Journey service behavior module and relating module, described host service function behavioral module, network service behavioral module, business conduct module It is connected respectively with relating module with remote service behavioral module;
Base module is put on record storehouse and user security demand storehouse, threat modeling storehouse, behaviorist risk evaluation criteria including user profile Storehouse, regulation and regulations storehouse and evidence collection policy library, the first end in described threat modeling storehouse and behaviorist risk evaluation criteria storehouse First end put storehouse on record with user profile respectively and user security demand storehouse is connected, second end in described threat modeling storehouse and method Rule and the connection of regulations storehouse first end, second end in described behaviorist risk evaluation criteria storehouse connect with regulation and regulations storehouse first end Connect, described regulation and the end of regulations storehouse second is connected with evidence collection policy library;
Preservation of evidence module includes evidence module, codified processing module, raw data module, technicalization processing module and data Memory module, described data memory module is connected with raw data module first end, affiliated and technicalization processing module first End and codified processing module first end are connected with the end of raw data module second respectively, affiliated and codified processing module second End is connected with evidence module;
Evidence-gathering module includes Host behavior acquisition module, network behavior acquisition module and all kinds of servers, main frame and equipment, Described Host behavior acquisition module and network behavior acquisition module are connected with all kinds of servers, main frame and equipment respectively.
System evidence is presented module, behavior evidence association analysis module, base module, preservation of evidence module and evidence and received Collect module to connect using Intranet technologies.
Module, behavior evidence association analysis module, base module, preservation of evidence module and evidence is presented in the evidence of system Data transfer is carried out using cipher mode between collection module, including passes through user authentication and rights management.Described evidence is received Collect the data that module gathers each collecting zone, during collecting zone can be the webmaster of Back ground Information network and important information system The heart.
Behavior evidence association analysis module is associated analysis to the data in front-end data collection module, and according to data Content, to proof data classify.
Preservation of evidence module generates network attack and destructive insident data record.
Evidence is presented module and is mainly all kinds of inquiry/management terminals.Module is presented according to using the need for main body in evidence, raw Into all kinds of forms and analysis report, the friendly interface queries data warehouse content of module is presented in evidence, and realizes that session is reset, Each platform management is safeguarded, such as backs up, delete.
As shown in figure 4, a kind of APT threat detecting system framework based on intrusion feature, including knowledge base, evidence collection Layer, preservation of evidence layer, evidence analysis layer, evidence presentation layer and standard time source.
During system operation, module, behavior evidence association analysis module, base module, preservation of evidence module is presented in evidence The connection of dynamic, high speed is kept with evidence-gathering module.On the one hand, the equipment of evidence areas by collector from the rule of platform Storehouse obtains rule, and by gathered data dynamical save into platform, and realize alarm;On the other hand, User identification mechanism is received The inquiry of each equipment of customer analysis platform/there is provided data analysis or alteration ruler service for management request.Described above is only this hair Bright preferred embodiment, it should be understood that the present invention is not limited to form disclosed herein, is not to be taken as to other realities The exclusion of example is applied, and available for various other combinations, modification and environment, and can be in contemplated scope described herein, by upper The technology or knowledge for stating teaching or association area are modified.And the change and change that those skilled in the art are carried out do not depart from this hair Bright spirit and scope, then all should be in the protection domain of appended claims of the present invention.

Claims (10)

1. a kind of APT threat detection method based on intrusion feature, it is characterised in that including:
S1:Knowledge base modeling is carried out to intrusion feature field;
S2:Gather behavioral data, including collection Host behavior data and collection network behavior data, described collection Host behavior Data include gathering into/thread information record, port information record, the operation note of data in magnetic disk, system registry information change More record, terminal system Back ground Information are more recorded, peripheral apparatus is connected and data transfer record and third party application information Record, described collection network behavior data will carry out key words sorting to network behavior first, then carry out network behavior data Reduction, and record, the O&M information on services of tracking network system and external connection information, finally save the data in local;
S3:Analysis is associated to the result for gathering behavioral data, attack process is reconstructed first, main frame and net will be respectively derived from The behavioral data of network is associated analysis with the logical condition set;
S4:Saving from damage for evidence, restores the risk of attacks behavior preservation of evidence, forms the complete evidence for accident;
S5:The evidence is presented.
2. the APT threat detection method according to claim 1 based on intrusion feature, it is characterised in that described invasion Approach includes mail and social network sites.
3. the APT threat detection method according to claim 1 based on intrusion feature, it is characterised in that described knowledge Storehouse modeling is modeled using multidimensional heterogeneous data sources integration with integration.
4. the APT threat detection method according to claim 1 based on intrusion feature, it is characterised in that described network Behavior is gathered, and is used using CIP and SIP as according to data distribution is carried out, AC-BM algorithms is used in Keywords matching, and use Node detection mode realizes the data exchange and communication between different main frames.
5. the APT threat detection method according to claim 1 based on intrusion feature, it is characterised in that described collection Network behavior data, the object of collection includes mail data, social platform application data, Intranet transport layer data stream, database Protocol data and remote control protocol data.
6. the APT threat detection method according to claim 1 based on intrusion feature, it is characterised in that in step s 4, Inquired about using chart and list, graph query from totality to details, gos deep into list query, made layer by layer using mode is drilled through With all user behaviors logs and manually study and judge daily record with carrying out many condition query composition.
7. the APT threat detection method according to claim 1 based on intrusion feature, it is characterised in that described association The model that analysis is used is data management and Knowledge Discovery Model CDMKDM based on case.
8. the APT threat detection method according to claim 1 based on intrusion feature, it is characterised in that described detection Method also includes the information classification of subject-oriented, for collecting the data mining part with backstage.
9. a kind of APT threat detecting system based on intrusion feature, it is characterised in that including:
Module, behavior evidence association analysis module, base module, preservation of evidence module and evidence-gathering module is presented in evidence, Described behavior evidence association analysis module, base module, preservation of evidence module are presented module with evidence respectively and are connected;It is described Behavior evidence association analysis module be connected with base module, described base module is connected with preservation of evidence module;Institute Knowledge base, the preservation of evidence module stated are connected with evidence-gathering module respectively, and the system evidence is presented module, behavior evidence and closed Join between analysis module, base module, preservation of evidence module and evidence-gathering module using the connection of Intranet technologies.
10. the APT threat detecting system according to claim 9 based on intrusion feature, it is characterised in that:
Module, which is presented, in described evidence includes behavior evidence presentation module, evidence assistant analysis module and behavioral agent confirmation of responsibility Module, described evidence is presented module and is connected with evidence assistant analysis module, described evidence assistant analysis module and behavior master Body confirmation of responsibility module is connected;
Described behavior evidence association analysis module includes host service function behavioral module, network service behavioral module, business conduct Module, remote service behavioral module and relating module, described host service function behavioral module, network service behavioral module, business Behavioral module and remote service behavioral module are connected with relating module respectively;
Described base module is commented including put on record storehouse and user security demand storehouse, threat modeling storehouse, behaviorist risk of user profile Estimate java standard library, regulation and regulations storehouse and evidence collection policy library, the first end and behaviorist risk in described threat modeling storehouse are assessed The first end of java standard library puts storehouse on record with user profile respectively and user security demand storehouse is connected, and the second of described threat modeling storehouse End is connected with regulation and regulations storehouse first end, second end and regulation and regulations storehouse first in described behaviorist risk evaluation criteria storehouse End connection, described regulation and the end of regulations storehouse second is connected with evidence collection policy library;
Described preservation of evidence module includes evidence module, codified processing module, raw data module, technicalization processing module And data memory module, described data memory module is connected with raw data module first end, the technicalization processing module First end and codified processing module first end are connected with the end of raw data module second respectively, the codified processing module Two ends end are connected with evidence module;
Described evidence-gathering module includes Host behavior acquisition module, network behavior acquisition module and all kinds of servers, main frame And equipment, described Host behavior acquisition module and network behavior acquisition module connect with all kinds of servers, main frame and equipment respectively Connect.
CN201710303758.6A 2017-05-03 2017-05-03 APT threat detection method and system based on intrusion path Active CN107172022B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710303758.6A CN107172022B (en) 2017-05-03 2017-05-03 APT threat detection method and system based on intrusion path

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710303758.6A CN107172022B (en) 2017-05-03 2017-05-03 APT threat detection method and system based on intrusion path

Publications (2)

Publication Number Publication Date
CN107172022A true CN107172022A (en) 2017-09-15
CN107172022B CN107172022B (en) 2021-01-01

Family

ID=59812726

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710303758.6A Active CN107172022B (en) 2017-05-03 2017-05-03 APT threat detection method and system based on intrusion path

Country Status (1)

Country Link
CN (1) CN107172022B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108229175A (en) * 2017-12-28 2018-06-29 中国科学院信息工程研究所 A kind of correlation analysis system and method for multidimensional isomery forensic information
CN109951419A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of APT intrusion detection method based on attack chain attack rule digging
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device
CN110545251A (en) * 2018-05-29 2019-12-06 国际关系学院 evidence chain construction method for Trojan attack scene
CN110837640A (en) * 2019-11-08 2020-02-25 深信服科技股份有限公司 Malicious file searching and killing method, device, storage medium and device
CN110958257A (en) * 2019-12-06 2020-04-03 北京中睿天下信息技术有限公司 Intranet permeation process reduction method and system
CN111177772A (en) * 2019-12-04 2020-05-19 国网浙江省电力有限公司 Data security method for palm power business of power system
CN111245796A (en) * 2019-12-31 2020-06-05 南京联成科技发展股份有限公司 Big data analysis method for industrial network intrusion detection
CN111914408A (en) * 2020-07-15 2020-11-10 中国民航信息网络股份有限公司 Threat modeling-oriented information processing method and system and electronic equipment
CN112202818A (en) * 2020-12-01 2021-01-08 南京中孚信息技术有限公司 Network traffic intrusion detection method and system fusing threat information
CN112291260A (en) * 2020-11-12 2021-01-29 福建奇点时空数字科技有限公司 APT (android packet) attack-oriented network security threat concealed target identification method
CN112671800A (en) * 2021-01-12 2021-04-16 江苏天翼安全技术有限公司 Method for threat quantification enterprise risk value
CN115412320A (en) * 2022-08-19 2022-11-29 奇安信网神信息技术(北京)股份有限公司 Attack behavior tracing method, device and system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594625A (en) * 2012-03-07 2012-07-18 北京启明星辰信息技术股份有限公司 White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform
CN102638458A (en) * 2012-03-23 2012-08-15 中国科学院软件研究所 Method for identifying vulnerability utilization safety threat and determining associated attack path
CN104283889A (en) * 2014-10-20 2015-01-14 国网重庆市电力公司电力科学研究院 Electric power system interior APT attack detection and pre-warning system based on network architecture
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic metadata
CN105141598A (en) * 2015-08-14 2015-12-09 中国传媒大学 APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection
US20160105454A1 (en) * 2014-10-10 2016-04-14 Nec Laboratories America, Inc. Differential dependency tracking for attack forensics
CN105871883A (en) * 2016-05-10 2016-08-17 上海交通大学 Advanced persistent threat detection method based on aggressive behavior analysis

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102594625A (en) * 2012-03-07 2012-07-18 北京启明星辰信息技术股份有限公司 White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform
CN102638458A (en) * 2012-03-23 2012-08-15 中国科学院软件研究所 Method for identifying vulnerability utilization safety threat and determining associated attack path
US20160105454A1 (en) * 2014-10-10 2016-04-14 Nec Laboratories America, Inc. Differential dependency tracking for attack forensics
CN104283889A (en) * 2014-10-20 2015-01-14 国网重庆市电力公司电力科学研究院 Electric power system interior APT attack detection and pre-warning system based on network architecture
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic metadata
CN105141598A (en) * 2015-08-14 2015-12-09 中国传媒大学 APT (Advanced Persistent Threat) attack detection method and APT attack detection device based on malicious domain name detection
CN105871883A (en) * 2016-05-10 2016-08-17 上海交通大学 Advanced persistent threat detection method based on aggressive behavior analysis

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951419A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of APT intrusion detection method based on attack chain attack rule digging
CN108229175A (en) * 2017-12-28 2018-06-29 中国科学院信息工程研究所 A kind of correlation analysis system and method for multidimensional isomery forensic information
CN110545251A (en) * 2018-05-29 2019-12-06 国际关系学院 evidence chain construction method for Trojan attack scene
CN109981596A (en) * 2019-03-05 2019-07-05 腾讯科技(深圳)有限公司 A kind of host external connection detection method and device
CN110837640B (en) * 2019-11-08 2022-02-22 深信服科技股份有限公司 Malicious file searching and killing method, device, storage medium and device
CN110837640A (en) * 2019-11-08 2020-02-25 深信服科技股份有限公司 Malicious file searching and killing method, device, storage medium and device
CN111177772A (en) * 2019-12-04 2020-05-19 国网浙江省电力有限公司 Data security method for palm power business of power system
CN111177772B (en) * 2019-12-04 2023-10-20 国网浙江省电力有限公司 Data security method for palm power business of power system
CN110958257A (en) * 2019-12-06 2020-04-03 北京中睿天下信息技术有限公司 Intranet permeation process reduction method and system
CN110958257B (en) * 2019-12-06 2022-06-07 北京中睿天下信息技术有限公司 Intranet permeation process reduction method and system
CN111245796A (en) * 2019-12-31 2020-06-05 南京联成科技发展股份有限公司 Big data analysis method for industrial network intrusion detection
CN111245796B (en) * 2019-12-31 2022-06-14 南京联成科技发展股份有限公司 Big data analysis method for industrial network intrusion detection
CN111914408A (en) * 2020-07-15 2020-11-10 中国民航信息网络股份有限公司 Threat modeling-oriented information processing method and system and electronic equipment
CN111914408B (en) * 2020-07-15 2024-03-08 中国民航信息网络股份有限公司 Threat modeling-oriented information processing method and system and electronic equipment
CN112291260A (en) * 2020-11-12 2021-01-29 福建奇点时空数字科技有限公司 APT (android packet) attack-oriented network security threat concealed target identification method
CN112202818A (en) * 2020-12-01 2021-01-08 南京中孚信息技术有限公司 Network traffic intrusion detection method and system fusing threat information
CN112671800A (en) * 2021-01-12 2021-04-16 江苏天翼安全技术有限公司 Method for threat quantification enterprise risk value
CN112671800B (en) * 2021-01-12 2023-09-26 江苏天翼安全技术有限公司 Method for quantifying enterprise risk value by threat
CN115412320A (en) * 2022-08-19 2022-11-29 奇安信网神信息技术(北京)股份有限公司 Attack behavior tracing method, device and system

Also Published As

Publication number Publication date
CN107172022B (en) 2021-01-01

Similar Documents

Publication Publication Date Title
CN107172022A (en) APT threat detection method and system based on intrusion feature
Lee et al. An effective security measures for nuclear power plant using big data analysis approach
CN108881265B (en) Network attack detection method and system based on artificial intelligence
Boukhtouta et al. Network malware classification comparison using DPI and flow packet headers
Chauhan et al. A comparative study of classification techniques for intrusion detection
Wang et al. A graph based approach toward network forensics analysis
KR101060612B1 (en) Audit data based web attack event extraction system and method
Krishnaveni et al. Ensemble approach for network threat detection and classification on cloud computing
CN109450721A (en) A kind of Network anomalous behaviors recognition methods based on deep neural network
US9961047B2 (en) Network security management
Upendran et al. Optimization based classification technique for intrusion detection system
CN115021997B (en) Network intrusion detection system based on machine learning
Vashishtha et al. HIDM: A hybrid intrusion detection model for cloud based systems
Lambert II Security analytics: Using deep learning to detect cyber attacks
Zope et al. Data mining approach in security information and event management
Zwane et al. Ensemble learning approach for flow-based intrusion detection system
Wang et al. Big data analytics of network traffic and attacks
CN114598499A (en) Network risk behavior analysis method combined with business application
Mohamed et al. Alert correlation using a novel clustering approach
Yang et al. [Retracted] Computer User Behavior Anomaly Detection Based on K‐Means Algorithm
Yange et al. A data analytics system for network intrusion detection using decision tree
Jin et al. An adaptive analysis framework for correlating cyber-security-related data
Ahde et al. A survey on the use of data points in IDS research
Yeshwanth et al. Adoption and Assessment of Machine Learning Algorithms in Security Operations Centre for Critical Infrastructure
Grégio et al. Evaluation of data mining techniques for suspicious network activity classification using honeypots data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant