CN107370755B - Method for multi-dimensional deep detection of APT (active Power test) attack - Google Patents
Method for multi-dimensional deep detection of APT (active Power test) attack Download PDFInfo
- Publication number
- CN107370755B CN107370755B CN201710731477.0A CN201710731477A CN107370755B CN 107370755 B CN107370755 B CN 107370755B CN 201710731477 A CN201710731477 A CN 201710731477A CN 107370755 B CN107370755 B CN 107370755B
- Authority
- CN
- China
- Prior art keywords
- attack
- detection
- apt
- stage
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the field of APT attack detection, and aims to provide a method for multi-dimensional deep level detection of APT attack. The method for multi-dimensional deep level detection of APT attack comprises the following steps: carrying out flow collection, analysis and reduction on common network application layer protocol data packets; analyzing and detecting the obtained network application behaviors, recording attack behaviors and giving an alarm; further optimizing the detection strategy and mechanism of each attack point; and generating an APT attack link by the association. The method carries out deep analysis and detection on possible attack points in each stage of the APT attack life cycle from multiple dimensions, attack clues found in a certain attack stage are further used as detection bases of other attack stages, and detection conclusions of the attack stages are further correlated to form attack evidences with higher certainty.
Description
Technical Field
The invention relates to the field of APT attack detection, in particular to a method for multi-dimensional deep level detection of APT attack.
Background
An apt (advanced Persistent attack) attack is an organized, carefully planned series of hidden and Persistent attack processes directed at a specific target. The APT attack often uses malicious software to utilize system bugs, and uses an external C & C server to continuously monitor and steal data of a specific target of the attack, and because the APT attack is based on the specific attack target, the APT attack is developed after being elaborately planned, and further can be remotely controlled and combined with artificial skills to more pertinently execute an attack process, the whole process is hidden and difficult to detect for a long time, so that once the attack is successful, the attack can cause great threat to the attack target.
The life cycle of an APT attack is generally divided into several attack phases:
1) primary invasion: carrying out social attack or spear phishing and malicious file delivery by using mails; a malicious file is implanted into a website to carry out water pit attack and the like;
2) the establishment of the data point is as follows: implanting a Remote Administration Tool (RAT) on the invaded host to create a network backdoor or tunnel for illegal access;
3) trojan tieback: the RAT is connected back to the C & C server, an attack tool is updated, and the invaded host can be remotely controlled;
4) right-offering: carrying out privilege escalation through vulnerability exploitation or password cracking, and completely controlling the intrusion into a host;
5) internal surveying: collecting information such as network architecture, asset certificates and the like through means such as scanning and the like;
6) transverse diffusion: further controlling other servers and workstations by means of password vouchers obtained through internal surveying, or password brute force cracking or vulnerability utilization and the like;
7) data stealing: and carrying out illegal outward delivery on the stolen data.
After the APT attack determines an attack target, a large amount of investigation work is conducted on weak links of the existing infrastructure of the attack target and the existing defense measures, each attack step is planned elaborately, the existing defense measures are tried to be bypassed, a 0day bug is used for designing a malicious file, and hiding are tried in the attack process, so that the target of finally stealing data is achieved.
In the traditional protection mechanism and product, more single-point detection is performed based on a plurality of attack means in the APT attack life cycle, the detected attack points and the attack layer are single, the detection strategies of all the attack points cannot interact and self-optimize, the latent APT attack is not easy to find, the APT attack link cannot be outlined, and the APT attack link can be easily bypassed by the carefully planned APT attack, so that the possible attack points in all the stages of the APT attack life cycle need to be deeply analyzed and detected from multiple dimensions, the attack clues found in a certain attack stage can be further used as the detection basis of other attack stages, the detection conclusions of all the attack stages can be further correlated to form attack evidences with higher certainty, and the APT attack can be found more efficiently.
Disclosure of Invention
The invention mainly aims to overcome the defects in the prior art and provide a method for deep analysis and detection from multiple dimensions aiming at each attack stage in the APT attack life cycle. In order to solve the technical problem, the solution of the invention is as follows:
the method for multi-dimensional deep level detection of APT attack is provided, and comprises the following steps:
step A: the flow collection module collects, analyzes and restores the flow of common network application layer protocol data packets (HTTP, SMTP, POP3, IMAP, FTP, SMB, DNS, etc.);
the flow acquisition module can capture a network application layer protocol data packet in bypass mirror flow (by using a Libpcap software packet), analyze and restore the network application layer protocol data packet according to the application specification of common network application layer protocols (HTTP, SMTP, POP3, IMAP, FTP, SMB, DNS and the like) through IP fragment recombination, TCP reassembly and network application layer protocol analysis, and finally acquire specific network application behaviors contained in the network application layer protocol data packet;
and B: respectively analyzing and detecting the network application behaviors obtained in the step A aiming at possible attack points in each attack stage of the APT attack life cycle, recording the attack behaviors and giving an alarm;
and C: using single attack point to detect the generated attack behavior alarm information, and further optimizing the detection strategy and mechanism of each attack point;
step D: and detecting the generated attack behavior alarm information by using a single attack point, and generating an APT attack link in a correlation manner through an attack source IP, an attacked IP, the stage position of each attack point in the APT attack life cycle and the time information of each alarm information.
In the invention, the analysis and detection of possible attack points in each attack stage of the APT attack life cycle in the step B are respectively analyzed and detected, and the detection threshold value can be adjusted through the credibility coefficients and the infected coefficients of the source IP and the target IP address, so that different detection strengths are realized;
the credibility coefficient of the IP address is represented by a numerical value in the range of 0 to 100 and can be obtained from IP credibility information; the IP credibility information is a two-dimensional information base based on the IP address and the IP credibility coefficient as numerical values;
the infection coefficient of the IP address is represented by a numerical value in the range of 0 to 100 and can be obtained from the IP threat degree information; the IP threat degree information is a two-dimensional information base which takes an IP address and an IP infection coefficient as numerical values;
the step B specifically comprises the following substeps:
step B1: dividing the life cycle of the APT attack into 7 attack stages of primary invasion, establishment of a site, Trojan loopback, right lifting, internal survey, transverse diffusion and data stealing;
step B2: carrying out mail social attack detection and malicious file delivery detection on the initial intrusion attack stage;
step B3: receiving malicious files and detecting Webshell implantation in a site attack establishment stage;
step B4: c & C IP/URL and DGA domain name request are carried out on the Trojan loopback attack stage, and Webshell detection is utilized;
step B5: detecting vulnerability utilization and password cracking in the privilege-raising attack stage;
step B6: in the internal survey attack stage, the port of the intranet is scanned, and the intranet is detected through SMB remote overflow attack;
step B7: in the transverse diffusion attack stage, the detection of the brute force cracking of the intranet password and the delivery of malicious files is carried out;
step B8: and in the attack stage of the stolen data, detection of hidden channel transmission, steganographic file transmission and illegal data transmission by utilizing an 80 port is carried out.
In the present invention, the step C specifically includes the following substeps:
step C1: by summarizing and analyzing all attack behavior alarm information, attack source IPs which are continuously tried to attack in different APT attack stages and different attack target IPs by using different protocols and attack modes are detected, and IP credibility information is generated;
the IP credibility information is a two-dimensional information base based on the IP address and the IP credibility coefficient as numerical values; the IP reliability coefficient is represented by a numerical value in the range of 0 to 100, and the larger the numerical value is, the higher the access reliability initiated by the IP is, namely the lower the possibility of relatively existing attack behaviors is;
step C2: detecting the IP which is used as an attack initiator and an attack receiver in the adjacent APT attack stage by summarizing and analyzing all attack behavior alarm information so as to generate IP threat degree information;
the IP threat degree information is a two-dimensional information base which takes an IP address and an IP infection coefficient as numerical values; the IP infection coefficient is represented by a numerical value in a range from 0 to 100, the larger the numerical value is, the more likely the IP is infected is, further, the possibility that the source IP accessing the IP is the IP of an attacker is correspondingly higher, and the possibility that other IPs are subjected to lateral diffusion attack is correspondingly higher when the IP initiates access to other IPs;
step C3: and (C) synchronizing the generated IP credibility information and the generated IP threat degree information to the detection strategy of the attack points in 7 attack stages of the APT attack life cycle in the step (B) (the analysis and detection methods of the possible attack points in each attack stage all use the IP credibility coefficient in the IP credibility information and the IP infected coefficient in the IP threat degree information as detection threshold values, so that the effect of dynamically adjusting the detection strength of the specific IP is achieved).
In the step D, the APT attack link takes IP as a node, the IPs are connected by an attack point name for confirming the successful APT attack life cycle, and the connecting lines among the IP nodes can summarize and show the attack mode, the attack times, the attack starting and stopping time and the threat degree and can click to drill the detailed information;
the APT attack link can automatically draw an IP node path diagram from a primary intrusion attack stage to a data stealing attack stage according to a plurality of attack stages of an APT attack life cycle; if the IP node path graph covering the APT attack full life cycle is not found, the IP node path graph of the longest path can be drawn so as to quickly locate the node equipment which needs to be remedied most urgently.
Compared with the prior art, the invention has the beneficial effects that:
compared with the traditional protection mechanism and products, the method carries out deep analysis and detection on possible attack points in each stage of the APT attack life cycle from multiple dimensions, an attack clue found in a certain attack stage is further used as a detection basis of other attack stages, the detection conclusion of each attack stage is further associated to form an attack evidence with higher certainty, and the problem that the traditional product carries out single-point detection on a plurality of attack means in the APT attack life cycle is solved, the detected attack points and the attack level are single, the detection strategies of each attack point cannot interact and self-optimize, and the method is not beneficial to finding latent APT attacks is solved.
Drawings
FIG. 1 is a flow chart of the detection according to the present invention.
Detailed Description
First, it should be noted that the present invention relates to the field of APT attack detection, which is an application branch of computer technology in the field of information security technology. In the implementation of the present invention, the detection of attack points in a plurality of APT attack life cycles is involved. The applicant believes that it is fully possible for one skilled in the art to utilize the software programming skills in his or her own practice to implement the invention, as well as to properly understand the principles and objectives of the invention, in conjunction with the prior art, after a perusal of this application. All references made herein are to the extent that they do not constitute a complete listing of the applicants.
The invention is described in further detail below with reference to the following detailed description and accompanying drawings:
a method for detecting APT attack in multi-dimension deep level divides APT attack life cycle according to attack stage, carries out multi-dimension deep level detection to attack points of different attack stages, uses an attack clue found in a certain attack stage to be further used as a detection basis of other attack stages, and the detection conclusion of each attack stage is used for further associating to generate APT attack link so as to rapidly position node equipment which most urgently needs to be remedied, the processing flow is shown in figure 1, and the specific steps are as follows:
step 1: and the flow acquisition module acquires flow.
The flow collection module captures network data packets by using a Libpcap software packet, and captures data packets of 80 and 8080 ports according to common application layer protocols such as HTTP, SMTP, POP3, IMAP, FTP, SMB, DNS and the like, such as HTTP protocol defaults.
In order to adapt to different network scenes, the capture ports suitable for each application protocol can be added, deleted and modified through interfaces.
Step 2: and analyzing and restoring the protocol to generate original behavior information.
The method comprises the steps of recombining a captured TCP data packet on an application layer protocol layer, analyzing and restoring original behavior information according to an application layer protocol specification, and recording information such as a source IP, a destination port, occurrence time, an application protocol, application behavior content and the like, wherein the application behavior content is different according to different application protocols, such as the application behavior content of an HTTP protocol, and comprises information such as a Request method, a URI, a User-Agent, a Host, a Cookie, a Request Header, a file name and a file which are uploaded and downloaded, a Post Body, a response code, response content, delay information and the like according to the HTTP protocol specification.
And step 3: and judging whether the source IP and the destination IP in the original behavior are in the IP credibility and threat degree information base.
And the IP credit degree information base is credit information based on the IP address, and the IP credit degree information is obtained by the system according to the attack condition of the attack source IP in all the past attack behavior warning information.
The IP threat degree information base is threat degree information based on an IP address, and the IP threat degree information is an IP which is obtained by the system through calculation and is possibly infected according to the IP which is an attack source and is attacked in all past attack behavior warning information.
If one of the source IP and the target IP in the original behavior is in the IP credit degree information base or the IP threat degree information base, entering the step 4 for processing; and if the source IP and the destination IP in the original behavior are not in the IP reputation degree information base and the IP threat degree information base, entering the step 5 for processing.
And 4, step 4: and adjusting the detection threshold value and strategy of each attack point in the APT attack life cycle.
The detection severity of each attack point detection strategy in the APT attack life cycle can be further adjusted through a detection threshold value, and the detection threshold value is obtained through weighted calculation according to the IP credibility and the IP threat degree, so that the detection strength of a specific IP is dynamically adjusted.
And 5: and (5) performing primary intrusion detection.
Possible attack points of the primary intrusion attack stage comprise mail head deception, sender deception, mail phishing, mail malicious link and malicious file delivery through mails; the method comprises the steps of invading a WEB server and implanting malicious files through SQL injection, cross-site injection and command injection, or delivering malicious software to FTP and SMB servers to spread water pit attacks.
The mail head deception, sender deception, mail phishing and mail malicious link are all mail social attacks, and the detection of the mail social attacks can be completed through semantic analysis or whether URL is used or not based on the original behaviors of SMTP, POP3 and IMAP protocols.
The detection of the delivery malicious files can be completed by virus trojan killing, static analysis and sandbox dynamic analysis detection on the separated files based on the file uploading behavior in SMTP, FTP, HTTP and SMB application protocols.
Step 6: a site detection is established.
The possible attack points of the site attack stage are established by receiving malicious software through mails, downloading the malicious software through WEB, FTP or SMB servers, and implanting Webshell behaviors into the WEB server through SQL injection and cross-site.
The detection of the implantation behavior of the Webshell can be completed in a strategy matching mode, and the identification of the Webshell file can be identified based on a machine learning and classifying method.
And 7: and (5) Trojan loop detection.
The Trojan connects the possible attack points of the attack stage, including the process of accessing C & C IP/URL and DGA domain name request.
The detection of the C & C IP/URL may be identified by a library of IPs and URLs in historical APT-based attack events, or by a tieback IP or URL captured in a dynamic sandbox of malicious files.
The detection of the DGA domain name request refers to a process of identifying a domain name generated by a request resolution DGA (domain name generation algorithm) in DNS traffic.
And 8: and (5) carrying out right-lifting detection.
And the detection of the attack point of the privilege-raising attack stage comprises the detection of vulnerability exploitation or password cracking behavior.
And step 9: and (4) internal survey detection.
And the detection of the attack point of the internal survey attack stage comprises port scanning captured in intranet communication and detection of remote overflow attack behavior of the intranet through SMB.
Step 10: and (4) detecting the lateral diffusion.
And the detection of the attack points in the transverse diffusion attack stage comprises the violent decryption of a password captured in intranet communication and the detection of delivery behaviors of malicious files.
Step 11: and detecting stolen data.
The attack point of the attack stage of the stolen data comprises the detection of the behaviors of hidden channel transmission, steganographic file transmission and illegal data transmission by utilizing an 80 port;
step 12: and judging whether the attack behavior is the attack behavior of each attack point.
If the original behavior is judged to be an attack behavior in the attack point detection process described in the step 5 to the step 11, entering a step 13 for further processing; and if the original behavior does not meet the detection condition of any attack point in the steps 5 to 11, returning to the step 1 for further processing.
Step 13: the attack behavior is recorded and an alarm is generated.
And marking the original behavior identified as the attack behavior, and generating a standard log according to an alarm format.
Step 14: and (5) storing the alarm information.
And writing the alarm log into a relational database.
Step 15: and generating an attack link according to the alarm information association.
And generating an APT attack link in a correlation manner through the attack source IP, the attacked IP, the stage position of each attack point in the APT attack life cycle and the time information of each alarm message in the alarm message. The APT attack link takes IP as nodes, the IP is connected with the IP by an attack point name for confirming the successful APT attack life cycle, and the connecting lines among the IP nodes can summarize and show the attack mode, the attack times, the attack starting and stopping time and the threat degree and can click to drill the detailed information.
The APT attack link can further automatically draw an IP node path diagram from the initial intrusion attack stage to the data stealing attack stage according to a plurality of stages of an APT attack life cycle; if the IP node path graph covering the APT attack full life cycle is not found, the IP node path graph of the longest path can be drawn so as to quickly locate the node equipment which needs to be remedied most urgently.
Step 16: and summarizing and analyzing the credibility and the threat degree of the related IP for the alarm information.
The system detects attack source IPs which are continuously tried to attack in different APT stages and different attack target IPs by using different protocols and attack modes through summarizing and analyzing all attack behavior alarm information, and classifies the attack source IPs into potential low-credibility IPs so as to finish the confirmation of the IP credibility.
The system detects the IP which is used as an attack initiator and an attack receiver in the adjacent APT attack stage by summarizing and analyzing all the attack behavior alarm information, and classifies the IP into potential controlled IP so as to finish the confirmation of the IP threat degree.
And step 17: and updating the IP threat degree information base.
The IP threat degree information base is threat degree information based on the IP address, is stored in the relational database for a long time, and is cached in the memory at the same time, so that the judgment process in the step 3 has better performance.
Step 18: and updating the IP credibility information base.
The IP credit degree information base is based on the credit degree information of the IP address, is stored in the relational database for a long time, and is cached in the memory at the same time, so that the judgment process in the step 3 has better performance.
At this moment, the APT attack life cycle is divided according to attack stages, multi-dimensional deep detection is carried out on attack points of different attack stages, an attack clue found in one attack stage is used as a detection basis of other attack stages, detection conclusions of the attack stages are used for further correlating to generate APT attack links, and the system for detecting APT attacks through multi-dimensional deep detection is achieved.
Finally, it should be noted that the above-mentioned list is only a specific embodiment of the present invention. It is obvious that the present invention is not limited to the above embodiments, but many variations are possible. All modifications which can be derived or suggested by a person skilled in the art from the disclosure of the present invention are to be considered within the scope of the invention.
Claims (4)
1. A method for multi-dimensional deep detection of APT attack is characterized by comprising the following steps:
step A: the flow collection module collects, analyzes and restores the flow of common network application layer protocol data packets;
the flow acquisition module can capture a network application layer protocol data packet in bypass mirror flow, analyze and restore the network application layer protocol data packet according to the application specification of a common network application layer protocol through IP fragment recombination, TCP reassembly and network application layer protocol analysis, and finally acquire a specific network application behavior contained in the network application layer protocol data packet;
and B: respectively analyzing and detecting the network application behaviors obtained in the step A aiming at possible attack points in each attack stage of the APT attack life cycle, recording the attack behaviors and giving an alarm;
and C: using single attack point to detect the generated attack behavior alarm information, and further optimizing the detection strategy and mechanism of each attack point; the method specifically comprises the following substeps:
step C1: by summarizing and analyzing all attack behavior alarm information, attack source IPs which are continuously tried to attack in different APT attack stages and different attack target IPs by using different protocols and attack modes are detected, and IP credibility information is generated;
step C2: detecting the IP which is used as an attack initiator and an attack receiver in the adjacent APT attack stage by summarizing and analyzing all attack behavior alarm information so as to generate IP threat degree information;
step C3: synchronizing the generated IP credit degree information and the generated IP threat degree information to the detection strategy of the attack points of each attack stage of the APT attack life cycle in the step B;
step D: and detecting the generated attack behavior alarm information by using a single attack point, and generating an APT attack link in a correlation manner through an attack source IP, an attacked IP, the stage position of each attack point in the APT attack life cycle and the time information of each alarm information.
2. The method according to claim 1, wherein the analysis and detection of possible attack points in each attack stage of the APT attack life cycle in step B are respectively performed, and the detection threshold can be adjusted by the credibility coefficient and the infection coefficient of the source IP address and the destination IP address to realize different detection strengths;
the credibility coefficient of the IP address is represented by a numerical value in the range of 0 to 100 and can be obtained from IP credibility information; the IP credibility information is a two-dimensional information base based on the IP address and the IP credibility coefficient as numerical values;
the infection coefficient of the IP address is represented by a numerical value in the range of 0 to 100 and can be obtained from the IP threat degree information; the IP threat degree information is a two-dimensional information base which takes an IP address and an IP infection coefficient as numerical values;
the step B specifically comprises the following substeps:
step B1: dividing the life cycle of the APT attack into 7 attack stages of primary invasion, establishment of a site, Trojan loopback, right lifting, internal survey, transverse diffusion and data stealing;
step B2: carrying out mail social attack detection and malicious file delivery detection on the initial intrusion attack stage;
step B3: receiving malicious files and detecting Webshell implantation in a site attack establishment stage;
step B4: c & C IP/URL and DGA domain name request are carried out on the Trojan loopback attack stage, and Webshell detection is utilized;
step B5: detecting vulnerability utilization and password cracking in the privilege-raising attack stage;
step B6: in the internal survey attack stage, the port of the intranet is scanned, and the intranet is detected through SMB remote overflow attack;
step B7: in the transverse diffusion attack stage, the detection of the brute force cracking of the intranet password and the delivery of malicious files is carried out;
step B8: and in the attack stage of the stolen data, detection of hidden channel transmission, steganographic file transmission and illegal data transmission by utilizing an 80 port is carried out.
3. The method according to claim 1, wherein in step C, the IP reputation information is a two-dimensional information base based on IP addresses and IP trustworthiness coefficients as values; the IP reliability coefficient is represented by a numerical value in the range of 0 to 100, and the larger the numerical value is, the higher the access reliability initiated by the IP is, namely the lower the possibility of relatively existing attack behaviors is;
the IP threat degree information is a two-dimensional information base which takes an IP address and an IP infection coefficient as numerical values; the infection coefficient of the IP is represented by a value in the range of 0 to 100, and the larger the value is, the more likely the IP is infected, further, the more likely the source IP accessing the IP is the attacker IP, and the more likely the other IP is subjected to the lateral spread attack by the access initiated by the IP.
4. The method according to claim 1, wherein in step D, the APT link is connected to the IP nodes by an attack point name that identifies a successful APT attack life cycle, and the connection lines between the IP nodes can collectively represent attack modes, attack times, attack start/stop times, and threat levels and can click drill-in detailed information;
the APT attack link can automatically draw an IP node path diagram from a primary intrusion attack stage to a data stealing attack stage according to a plurality of attack stages of an APT attack life cycle; if the IP node path graph covering the APT attack full life cycle is not found, the IP node path graph of the longest path can be drawn so as to quickly locate the node equipment which needs to be remedied most urgently.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710731477.0A CN107370755B (en) | 2017-08-23 | 2017-08-23 | Method for multi-dimensional deep detection of APT (active Power test) attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710731477.0A CN107370755B (en) | 2017-08-23 | 2017-08-23 | Method for multi-dimensional deep detection of APT (active Power test) attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107370755A CN107370755A (en) | 2017-11-21 |
| CN107370755B true CN107370755B (en) | 2020-03-03 |
Family
ID=60311784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710731477.0A Active CN107370755B (en) | 2017-08-23 | 2017-08-23 | Method for multi-dimensional deep detection of APT (active Power test) attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107370755B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888607B (en) * | 2017-11-28 | 2020-11-06 | 新华三技术有限公司 | Network threat detection method and device and network management equipment |
| CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
| CN108040075B (en) * | 2018-01-31 | 2020-09-01 | 海南上德科技有限公司 | APT attack detection system |
| CN108833437A (en) * | 2018-07-05 | 2018-11-16 | 成都康乔电子有限责任公司 | One kind being based on flow fingerprint and the matched APT detection method of communication feature |
| CN109284317B (en) * | 2018-10-26 | 2021-07-06 | 中孚安全技术有限公司 | Time sequence directed graph-based stolen information clue extraction and segmented evaluation method |
| CN109446810B (en) * | 2018-10-31 | 2021-05-25 | 杭州安恒信息技术股份有限公司 | Malicious file defense method and device based on request rewriting and electronic equipment |
| CN109309591B (en) * | 2018-10-31 | 2021-10-22 | 掌阅科技股份有限公司 | Traffic data statistical method, electronic device and storage medium |
| CN109067815B (en) * | 2018-11-06 | 2021-11-19 | 深信服科技股份有限公司 | Attack event tracing analysis method, system, user equipment and storage medium |
| CN109660515B (en) * | 2018-11-15 | 2020-05-12 | 中国科学院信息工程研究所 | Attack chain detection method and device |
| CN109347882B (en) * | 2018-11-30 | 2021-12-21 | 深信服科技股份有限公司 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
| CN109660539B (en) * | 2018-12-20 | 2020-12-25 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for identifying defect-losing equipment, electronic equipment and storage medium |
| CN109922069B (en) * | 2019-03-13 | 2020-12-25 | 中国科学技术大学 | Multidimensional association analysis method and system for advanced persistent threats |
| CN112152962B (en) * | 2019-06-26 | 2022-10-28 | 北京观成科技有限公司 | Threat detection method and system |
| CN110602042B (en) * | 2019-08-07 | 2022-04-29 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
| CN111723378B (en) * | 2020-06-17 | 2023-03-10 | 浙江网新恒天软件有限公司 | Website directory blasting method based on website map |
| CN113596037B (en) * | 2021-07-31 | 2023-04-14 | 广州广电研究院有限公司 | APT attack detection method based on event relation directed graph in network full flow |
| CN113746832B (en) * | 2021-09-02 | 2022-04-29 | 华中科技大学 | Multi-method mixed distributed APT malicious flow detection defense system and method |
| CN113839950B (en) * | 2021-09-27 | 2023-06-27 | 厦门天锐科技股份有限公司 | Mail approval method and system based on terminal mail SMTP protocol |
| CN116032527A (en) * | 2022-11-08 | 2023-04-28 | 广东广信通信服务有限公司 | Cloud computing-based data security vulnerability sensing system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103354548A (en) * | 2013-06-28 | 2013-10-16 | 华为数字技术(苏州)有限公司 | Method, device and system for detecting highly persistent threat attack |
| CN103905418A (en) * | 2013-11-12 | 2014-07-02 | 北京安天电子设备有限公司 | APT multi-dimensional detection and defense system and method |
| CN105024976A (en) * | 2014-04-24 | 2015-11-04 | 中国移动通信集团山西有限公司 | Advanced persistent threat attack recognition method and device |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9021092B2 (en) * | 2012-10-19 | 2015-04-28 | Shadow Networks, Inc. | Network infrastructure obfuscation |
-
2017
- 2017-08-23 CN CN201710731477.0A patent/CN107370755B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103354548A (en) * | 2013-06-28 | 2013-10-16 | 华为数字技术(苏州)有限公司 | Method, device and system for detecting highly persistent threat attack |
| CN103905418A (en) * | 2013-11-12 | 2014-07-02 | 北京安天电子设备有限公司 | APT multi-dimensional detection and defense system and method |
| CN105024976A (en) * | 2014-04-24 | 2015-11-04 | 中国移动通信集团山西有限公司 | Advanced persistent threat attack recognition method and device |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107370755A (en) | 2017-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107370755B (en) | Method for multi-dimensional deep detection of APT (active Power test) attack | |
| CN112769821B (en) | Threat response method and device based on threat intelligence and ATT & CK | |
| Wurzinger et al. | Automatically generating models for botnet detection | |
| Ianelli et al. | Botnets as a vehicle for online crime | |
| Koziol | Intrusion detection with Snort | |
| US7464407B2 (en) | Attack defending system and attack defending method | |
| US9401932B2 (en) | Device and method for detection of anomalous behavior in a computer network | |
| US9525696B2 (en) | Systems and methods for processing data flows | |
| US8402540B2 (en) | Systems and methods for processing data flows | |
| US8135657B2 (en) | Systems and methods for processing data flows | |
| US7979368B2 (en) | Systems and methods for processing data flows | |
| US7873998B1 (en) | Rapidly propagating threat detection | |
| CN105471912B (en) | Monitor the safety defense method and system of network | |
| CN105024976B (en) | A kind of advanced constant threat attack recognition method and device | |
| CN108768917B (en) | Botnet detection method and system based on weblog | |
| EP2432188A1 (en) | Systems and methods for processing data flows | |
| CN106992955A (en) | APT fire walls | |
| CN102457495A (en) | Method and system for defending network virus | |
| CN102045220A (en) | Wooden horse monitoring and auditing method and system thereof | |
| CN112788043B (en) | Honeypot system service self-adaption method and self-adaption service honeypot system | |
| Borys et al. | An evaluation of IoT DDoS cryptojacking malware and Mirai Botnet | |
| US20240121251A1 (en) | Command and Control Steganographic Communications Detection Engine | |
| CN108737332A (en) | A kind of man-in-the-middle attack prediction technique based on machine learning | |
| Ponomarev | Intrusion Detection System of industrial control networks using network telemetry | |
| Al-Dabagh et al. | Monitoring and analyzing system activities using high interaction honeypot |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310051 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: Dbappsecurity Co.,ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |