Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring

A threat detection and command technology, applied in the field of APT advanced threat detection based on command monitoring, can solve the problems of inability to adapt to the security situation, lack of unknown attack detection capabilities and traffic in-depth analysis capabilities, achieve high reliability and scalability, and improve security. performance, reliability and efficiency

Active Publication Date: 2017-06-13
CHINA ELECTRONICS TECH CYBER SECURITY CO LTD
View PDF3 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Traditional detection technologies such as firewalls, intrusion detection, security gateways, antivirus software, and anti-spam systems are mainly detected at the network border and host border, and they all lack the ability to detect unknown attacks and analyze traffic in depth.
This delayed response approach has been unable to adapt to the new security situation

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring
  • Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring
  • Detection method for APTs (Advanced Persistent Threat) based on instruction monitoring

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0024] A new APT advanced threat detection method based on instruction-level monitoring proposed by the present invention uses KVM virtualization and Intel hardware virtualization technology (Intel-VT) to perform function (API) level and instruction on malicious code in APT attacks. In-depth analysis of high-level behavior monitoring; and use taint analysis and other vulnerability detection methods to effectively detect unknown and known vulnerability exploitation behaviors from the root cause. The invention has the characteristics of high scalability, strong concealment, high data fidelity and the like.

[0025] One, overall structure of the present invention

[0026] Such as figure 1 As shown, the main modules include: custom ExKVM (extended KVM), multiple virtual machines, virtual machine introspection (LibVMI), taint analysis, operation monitoring and behavior log data analysis modules. The design goal of the present invention is to be able to deeply and efficiently anal...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a detection method for APTs (Advanced Persistent Threat) based on instruction monitoring. The method is characterized in that identification for virtual machine execution behaviors on an Hypervisor level is realized through an ExKVM and a virtual machine introspection library LibVMI, monitoring outside a virtual machine for an operating state of a malicious code in the virtual machine is realized and vulnerability exploitation attacks are discovered by use of a dynamic offline taint analysis method; monitoring for a user-layer API and kernel-layer API execution is carried out without an invasion by use of a #BP address injection method outside the virtual machine; and tracking for kernel stack allocation is realized through the injection of the kernel memory allocation function and the kernel module structure operating function of Windows. The offline taints are analyzed and the malicious behaviors are discovered through tracking and recording write, exchange and branch instructions between a memory and a register during the malicious code execution. According to the invention, the vulnerability exploitation during the APT attack can be monitored effectively and the detection rate of malicious samples is improved.

Description

technical field [0001] The invention relates to an APT advanced threat detection method based on instruction monitoring. Background technique [0002] APT attacks are destructive, concealed, and technically complex: In recent years, APT attacks have emerged in an endless stream, with an exponential growth trend, and gradually evolved into a complex of various social engineering attacks and various 0day exploits. Threats of cyber attacks. Malicious codes that utilize various system or software vulnerabilities to infiltrate have become the main means of APT attacks, and using or embezzling legal authentication signatures, using browser vulnerabilities and watering hole attacks to replace mail attacks will become the development trend of APT attacks. At the same time, attackers also pay more attention to the anti-detection technology of the virtual environment, so as to avoid the dynamic detection of security vendors. Unknown threats represented by APT attacks are very easy t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06G06F21/57G06F21/56
CPCG06F21/566G06F21/577H04L63/1416H04L63/1433H04L63/1441
Inventor 孙成胜魏勇魏涌涛
Owner CHINA ELECTRONICS TECH CYBER SECURITY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com