A method and device for protecting against advanced persistent threats

Abstract

The invention discloses an advanced persistent threat attack protection method, which collects network data packets of current user access behaviors; analyzes the network data packets of current user access behaviors to obtain service characteristics of current user access behaviors; The horizontal neighborhood radius, horizontal critical value, vertical neighborhood radius, and vertical critical value of the business access rule are used to detect abnormalities in the business characteristics of the current user access behavior; when the business characteristics of the current user access behavior are matched to all When the non-business access rules of the business access baseline model are used, an abnormal traffic alarm is issued; when the business characteristics of the current user access behavior are matched to the normal unknown business access rules of the business access baseline model, an unknown traffic alarm is issued. At the same time, the invention also discloses an advanced persistent threat attack protection device.

Description

technical field [0001] The invention relates to network security defense technology, in particular to a method and device for protecting against advanced persistent threat attacks. Background technique [0002] With the rapid development of computer technology and network technology, network security has gradually become a potential huge problem, and the endless network security incidents such as the famous American Prism Gate incident have sounded the alarm for people. In the increasingly severe network security situation, how to continuously improve the defense capabilities against network attacks and how to detect and warn network attacks in time is the core issue that various organizations and enterprise IT departments are concerned about. Among them, Advanced Persistent Threat (APT) attack, as the main form of network attack at present, is the focus of people's attention and research. APT attack is a form of attack that uses advanced attack methods to carry out long-te...

AI Technical Summary

Problems solved by technology

[0003] However, the current traditional security protection solutions mainly deploy protection devices, such as firewalls and intrusion prevention systems, to deal with APT attacks. Most of these devices are based on known rules for protection, although they generally have a rich feature library and The rule base can defend against known threats such as worms, Trojan horses, viruses, overflow attacks, scanning attacks, and brute force cracking. However, more and more attackers will test whether they can bypass the security detection of the target network before launching an attack. Therefore, new attack methods will be used, such as zero-day threats, advanced evasion techniques such as deformation and polymorphism, and multi-stage attacks. These new attack methods cannot be effectively detected and defended by traditional security mechanisms.

Under the new generation of threats, the effectiveness of security products based on signature technology and security systems based on boundary protection is gradually reduced

In addition, in order to effectively and reasonably use and maintain the protective equipment, maintenance personnel are required to have a high level of safety technology and rich experience in safe operation and maintenance, which will also increase the operating costs of enterprises to a certain extent.

Images