APT (advanced persistent threat) detection method and system

An advanced persistent threat and detection method technology, applied in the transmission system, digital transmission system, electrical components, etc., can solve the problems of missed detection, unmatched data, difficult detection of bypass monitoring, etc., to achieve good performance and accuracy, The effect of improving the detection ability

Inactive Publication Date: 2013-09-18
BEIJING VENUS INFORMATION TECH +1
View PDF5 Cites 43 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] 1) Due to the diversity of APT, it is difficult to cover all attack scenarios, making it difficult to fully detect
In order to achieve specific goals, attackers can use a variety of methods. As a defender, it is difficult to exhaustively enumerate all possible scenarios. Once the scenario construction is missed, it will cause false negatives in detection.
[0006] 2) APT often uses encryption to transmit sensitive information, and bypass monitoring is difficult to detect
Once an attacker succeeds in intruding, they will often transmit the stolen sensitive information through an encrypted channel. As a bypass detection device, it will not be able to match the encrypted data.
[0007] 3) APT attacks often infiltrate based on zero-day vulnerabilities, and traditional intrusion detection devices based on feature matching have lagging characteristics
Once the real-time detection of the attack behavior is missed, even if the detection features are updated later and the detection capability is obtained, the process of the APT attack cannot be traced back
[0008] 4) APT attack is a long-lasting attack process. The purpose of the attack is usually not to obtain a certain benefit but to maintain long-term benefits. This makes every attack step in the APT attack process imperceptible , the use of traditional intrusion detection may only find some low-level security events that cannot attract the full attention of administrators
[0009] Based on the above deficiencies, it can be concluded that the difficulty of APT detection is that the attacker's behavior is carried out within a time window, while traditional intrusion detection equipment is based on real-time detection at time points, lacking the support of the detection context

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • APT (advanced persistent threat) detection method and system
  • APT (advanced persistent threat) detection method and system
  • APT (advanced persistent threat) detection method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0063] Step 101: Obtain the attack steps of each attack scenario set by the user and the association rules for judging whether the attack steps before and after each attack step exist, wherein each attack step corresponds to a plurality of different events for realizing the attack step.

[0064] Step 102, perform intrusion detection in real time, and acquire alarm events occurring in the network.

[0065] Step 103, if the alarm event is an event corresponding to an attack step in a certain attack scenario, trigger the APT attack state detection process, specifically including:

[0066] If the alarm event is an event corresponding to the initial attack step in the attack scenario, the event in the current network is directly saved as a new attack sequence corresponding to the attack scenario;

[0067] If the alarm event is not the event corresponding to the initial attack step, it is judged whether there is a relationship between the alarm event in the saved attack sequence and...

Embodiment 2

[0071] Different from Embodiment 1, the initial state of the alarm event is not a certain ATP attack pattern sequence, and it cannot be accurately related to the next state of a certain ATP attack sequence in the stored APT attack sequence library, then perform the following operations:

[0072] The ATP detection engine loads the latest and most comprehensive attack signatures and analysis strategies to perform in-depth data detection on historical data. Specifically:

[0073] Step 201. When any two attack steps are associated with the same attack step, merge the arbitrary two attack steps into an associated relationship;

[0074] In the following, uppercase letters represent the attack steps, and lowercase letters represent the events corresponding to the attack steps. For example, attack step A, the event corresponding to the attack step is a.

[0075] For merging between attack steps, for example:

[0076] When attack step A is associated with attack step B, and attack st...

Embodiment 3

[0087]If adopting the method for embodiment two to process this attack sequence is related to the existing attack sequence, then increase a new attack sequence entry in the ATP attack sequence storehouse;

[0088] If the generated new attack sequence is unique (that is, the attack pattern in the output result is unique), such as (A+B+C+D+E: "a+b+*+d+e"). At this time, there is a related attack sequence (A+B+C+D+E: "a+b") in the stored ATP attack sequence library, and the stored attack sequence is replaced with a new attack sequence.

[0089] If there is a relevant attack sequence in the ATP attack sequence library stored at this time, such as (A+B+C+D+E: "a+b+*+*+e"; A+B+X+D+E: "a +b+*+*+e"); then update the stored attack sequence to (A+B+C+D+E: "a+b+*+d+e") and delete the unmatched attack pattern (A+B +X+D+E: "a+b+*+*+e").

[0090] If the generated attack sequence is (A+B+C+D+E: "*+*+c+d+e"), there are related attack sequences in the currently stored ATP attack sequence dat...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an APT (advanced persistent threat) detection method and an APT detection system. The APT detection method comprises the following steps of obtaining attack steps included by each attack scene of the APT and an association rule which is used for judging whether a previous attack step and a later attack step of each attack step exist or not, wherein each attack step corresponds to a plurality of different events capable of realizing the attack steps; obtaining a detection result of network intrusion, and recording an alarm event generated in network; if the alarm event is taken as an event corresponding to the attack step of a certain attack scene, triggering a detection process of the APT, processing an obtained attack sequence and outputting the obtained process result as APT information.

Description

technical field [0001] The present invention relates to the field of information security, in particular to a detection method and system for advanced persistent threats. Background technique [0002] As hacker attacks become more and more organized and profitable, APT (Advanced Persistent Threat, Advanced Persistent Threat) has become the most serious threat to government and major enterprise information systems. Macroscopic network security monitoring has the characteristics of a wide monitoring range and involves many key units, and is an ideal environment for detecting APT attacks. [0003] From a technical point of view, APT is not a new attack method, but a general term for a specific type of attack, that is, the entire process of a series of targeted attacks by attackers in order to obtain important information of an organization or even a country. . APT attacks use a variety of attack methods, including various latest attack methods and social engineering methods, ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L12/24H04L12/26
Inventor 孙海波田进山周涛
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap