Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

High-risk asset discovery and network attack tracing method based on TTP

A network attack, high-risk technology, applied in the field of traceability, can solve the problem of not being able to directly see the attacker's purpose and attack technology

Active Publication Date: 2020-05-19
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF12 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0007] 1. Most of the current terminal detection security alarms are only alarms for abnormal behaviors themselves. The alarms cannot directly see the attacker's purpose and attack technology. The attacker's purpose and attack technology are described by mapping the alarm to the TTP number
[0008] 2. At present, the terminal can only alarm for malicious features, but many attacks will use Windows official tools to launch attacks, and some terminal detection products will be bypassed at this time
[0009] 3. At present, the alarms triggered by terminal detection are independent, and there is no overall perspective to connect the attacker's behavior. We draw the process tree according to the process of the compromised host, and attach relevant TTP information, which can clearly describe the malicious process on the machine. operating process and attack techniques

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • High-risk asset discovery and network attack tracing method based on TTP
  • High-risk asset discovery and network attack tracing method based on TTP
  • High-risk asset discovery and network attack tracing method based on TTP

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0048] Embodiment 1, TTP-based high-risk asset discovery and network attack source tracing method, such as Figure 1-5 shown, including the following steps:

[0049] First, trace the source of the process tree for processes that have triggered TTP-related rules, and query whether other processes on the process tree have also detected TTP threats (pre-detection settings), and then display all detected TTP information to the corresponding process tree. process.

[0050] The process of TTP-related rules has been triggered. The detection of attack technology Techniques (TTP-related rules) comes from the Siem platform (security information event management platform, commonly known as the log analysis platform). Through the real-time detection capabilities of the Siem platform, the real-time transmitted Terminal logs, detection attack techniques Techniques. Operations in the original terminal data generally carry process information, which can be output to the alarm.

[0051] Whe...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a high-risk asset discovery and network attack tracing method based on TTP. The method comprises the following steps that process tree tracing is conducted on processes triggering TTP related rules, whether TTP threats are also detected by other processes on a process tree or not is inquired, and then all detected TTP information is displayed on the corresponding processes on the process tree; each attack technology Techniques is detected through an alarm rule model, each technology corresponds to one Techniques number (TTP number) after the technology Techniques is detected, and besides the Techniques number, tactical Tactics numbers are further included; when the attack technology Techniques is detected, the process tree of the attack process is traced; whether a plurality of attack technologies Techniques are covered on the process tree or not is analyzed; it is envisaged that when only one attack technology Techniques is detected on one process tree, it is possible to misreport a detection rule; and if multiple attack technologies Techniques are detected on one process tree, the probability that the equipment sinks and is controlled by an attacker is large, and multiple malicious attack behaviors are carried out.

Description

technical field [0001] The invention relates to a source tracing method, in particular to a TTP-based high-risk asset discovery and network attack source tracing method. Background technique [0002] In today's network, there are all kinds of hackers with different purposes to carry out network attacks on other individuals or enterprises on the Internet, in order to achieve their purposes of gaining benefits, improving reputation, political intentions and so on. However, in previous security incidents, enterprises had problems with the perception of compromised hosts in the network, and were often unable to detect attacks in the network in the first place. Hackers lurk within the organization for a long time, collecting information, stealing sensitive data or even destroying it. [0003] Before TTP was introduced into the field of network security, the problem found on the host could only be a threat point, and it was impossible to know the context of this threat point as c...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/1416H04L63/1425H04L63/1441
Inventor 罗家强范渊
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com