Advanced persistent threat attack detection method and device

An attack detection and persistence technology, applied in the field of communications, can solve the problems of difficult detection of defense systems and complex attack methods.

Inactive Publication Date: 2018-11-23
ZTE CORP +1
View PDF4 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

APT attacks are generally specially designed, with complex attack methods, and more use of 0day vulnerabilities (that is, vulnerabilities that have been discovered but have not yet been patched) to bypass traditional code-based security solutions

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Advanced persistent threat attack detection method and device
  • Advanced persistent threat attack detection method and device
  • Advanced persistent threat attack detection method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0056] This embodiment provides a method for detecting advanced persistent threat attacks, such as figure 1 shown, including:

[0057] Step 101, obtaining the communication message in the stage of establishing a connection between the APT virus and the command and control server in the APT attack sample, and establishing a field feature library according to the fields of the communication message;

[0058] Step 102, obtaining the message to be detected, and extracting one or more fields from the message;

[0059] Wherein, the message to be detected can be acquired in an online or offline manner. When the message to be detected is obtained online, the obtained message can be stored for subsequent offline use.

[0060] Step 103, matching the extracted fields with the corresponding signature database, and judging whether the packet is an advanced persistent threat packet according to the matching result.

[0061] Wherein, in step 101, the advanced persistent threat packet samp...

Embodiment 2

[0079] figure 2 It is a flow chart of the advanced persistent threat detection method provided by Embodiment 2 of the present invention. Such as figure 2 As shown, the advanced persistent threat detection method provided in this embodiment includes:

[0080] Step 201, establishing a feature library;

[0081] In this embodiment, two feature databases are established for one field, the first feature database and the second feature database. See the subsequent description for the specific establishment method.

[0082] Step 202, collect message data.

[0083] Among them, if the online mode is used for the detection, libpcap can be used to collect network data packets for the monitored target IP. If the detection adopts the offline mode, read the offline data. Among them, libpcap is a network data packet capture function package under the unix / linux platform, and most network monitoring software is based on it. Of course, other methods may also be used to obtain network d...

Embodiment 3

[0146] This embodiment provides an advanced persistent threat attack detection device, such as Figure 7 shown, including:

[0147] The feature library building module 701 is configured to obtain the communication message in the stage of establishing a connection between the advanced persistent threat virus and the command and control server in the advanced persistent threat attack sample, and establish a field feature library according to the fields in the communication message ;

[0148] The field extraction module 702 is configured to obtain the message to be detected, and extract one or more fields from the message;

[0149] The matching module 703 is configured to match the extracted fields with their corresponding feature databases, and judge whether the message is an advanced persistent threat message according to the matching result.

[0150] In an optional embodiment of the present invention, the analysis module 704 may also include, configured to, for a message jud...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an advanced persistent threat attack detection method and device. The method comprises the steps of obtaining advanced persistent threat viruses in advanced persistent threat attack samples, establishing a communication message in a connection phase with a command and control server, and establishing feature libraries of fields according to the fields in the communication messages; obtaining a to-be-detected message, and extracting one or more fields from the message; and matching the extracted field with the corresponding feature library thereof, and judging whether the message is an advanced persistent threat message or not according to a matching result. According to the embodiment of the invention, the samples are analyzed, the feature libraries are established,and the to-be-detected message is matched with the feature library to judge whether the message is the advanced persistent threat message or not, so the message can be effectively detected. Two timesof matching operation: fuzzy matching and accurate matching are employed, so the detection efficiency and accuracy are greatly improved.

Description

technical field [0001] The invention relates to communication technology, in particular to a method and device for detecting advanced persistent threat attacks. Background technique [0002] Advanced Persistent Threat (APT) refers to an attack form in which organizations or groups use advanced attack methods to carry out long-term persistent network attacks on specific targets. Compared with other forms of attack, the principle of APT attack is more advanced and advanced. It integrates intelligence, hacking technology, social engineering and other means to launch complex and professional attacks on valuable information assets. [0003] The difference between APT attack and traditional attack is that its attack purpose is very clear. Through careful planning, establish long-term attack points and wait for the opportunity to complete the scheduled tasks. Careful organization by professionals, long-term monitoring, and dynamic adjustments to the attack process as defense weak...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/1425H04L63/1433H04L63/1441
Inventor 王静戴震程光骆文田甜
Owner ZTE CORP
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap