Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring

A threat detection and command technology, applied in the field of APT advanced threat detection based on command monitoring, can solve the problems of inability to adapt to the security situation, lack of unknown attack detection capabilities and traffic in-depth analysis capabilities, achieve high reliability and scalability, and improve security. performance, reliability and efficiency

Active Publication Date: 2017-06-13
CHINA ELECTRONICS TECH CYBER SECURITY CO LTD
View PDF3 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Traditional detection technologies such as firewalls, intrusion detection, security gateways, antivirus software, and anti-spam systems are mainly detected at the network border and

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring
  • Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring
  • Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring

Examples

Experimental program
Comparison scheme
Effect test

Example Embodiment

[0024] The present invention proposes a new APT advanced threat detection method based on instruction-level monitoring, which applies KVM virtualization and Intel hardware virtualization technology (Intel-VT) to perform function (API) level and instruction on malicious code in APT attacks In-depth analysis of level behavior monitoring; and use taint analysis and other vulnerability detection methods to effectively detect unknown and known vulnerability exploits from the root cause. The invention has the characteristics of high scalability, strong concealment and high fidelity of data.

[0025] 1. The overall architecture of the present invention

[0026] Such as figure 1 As shown, the main modules include: custom ExKVM (extended KVM), multiple virtual machines, virtual machine introspection (LibVMI), stain analysis, operation monitoring and behavior log data analysis modules. The design goal of the present invention is to be able to dynamically analyze various malicious codes in A...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a detection method for APTs (Advanced Persistent Threat) based on instruction monitoring. The method is characterized in that identification for virtual machine execution behaviors on an Hypervisor level is realized through an ExKVM and a virtual machine introspection library LibVMI, monitoring outside a virtual machine for an operating state of a malicious code in the virtual machine is realized and vulnerability exploitation attacks are discovered by use of a dynamic offline taint analysis method; monitoring for a user-layer API and kernel-layer API execution is carried out without an invasion by use of a #BP address injection method outside the virtual machine; and tracking for kernel stack allocation is realized through the injection of the kernel memory allocation function and the kernel module structure operating function of Windows. The offline taints are analyzed and the malicious behaviors are discovered through tracking and recording write, exchange and branch instructions between a memory and a register during the malicious code execution. According to the invention, the vulnerability exploitation during the APT attack can be monitored effectively and the detection rate of malicious samples is improved.

Description

technical field [0001] The invention relates to an APT advanced threat detection method based on instruction monitoring. Background technique [0002] APT attacks are destructive, concealed, and technically complex: In recent years, APT attacks have emerged in an endless stream, with an exponential growth trend, and gradually evolved into a complex of various social engineering attacks and various 0day exploits. Threats of cyber attacks. Malicious codes that utilize various system or software vulnerabilities to infiltrate have become the main means of APT attacks, and using or embezzling legal authentication signatures, using browser vulnerabilities and watering hole attacks to replace mail attacks will become the development trend of APT attacks. At the same time, attackers also pay more attention to the anti-detection technology of the virtual environment, so as to avoid the dynamic detection of security vendors. Unknown threats represented by APT attacks are very easy t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06G06F21/57G06F21/56
CPCG06F21/566G06F21/577H04L63/1416H04L63/1433H04L63/1441
Inventor 孙成胜魏勇魏涌涛
Owner CHINA ELECTRONICS TECH CYBER SECURITY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap