Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

APT detection correlation analysis method based on graph algorithm

A technology of correlation analysis and graph algorithm, which is applied in the field of information security, can solve the problems of lack of APT attacks, high false alarm rate, and inability to attack event correlation, etc., and achieve the effect of visualization, high accuracy, and low false alarm rate

Active Publication Date: 2020-06-09
SHENZHEN LEAGSOFT TECH
View PDF7 Cites 12 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] First, traditional firewalls, intrusion detection, security gateways, anti-virus software and anti-spam systems and other detection technologies mainly detect at the network boundary and host boundary, and they all lack the ability to detect and correlate APT attacks, especially 0day attacks. ability
[0006] Second, the existing rule-based APT threat detection engine cannot effectively correlate a large number of alarm events, or can only use some ready-made indicators such as time stamps for simple correlation, and lacks an understanding of the complex relationship between alarms and actual intrusions. It is also impossible to correlate attack events that occurred on different hosts over a long period of time into an overall threat event
On the other hand, the relatively weak correlation analysis ability will also cause a high false positive rate of detection.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • APT detection correlation analysis method based on graph algorithm
  • APT detection correlation analysis method based on graph algorithm
  • APT detection correlation analysis method based on graph algorithm

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0051] A graph algorithm-based APT detection association analysis method, see figure 1 , including the following methods:

[0052] S1: Collect end user behavior data and kernel-level data generated by the detection system to obtain original audit log data; specifically, the kernel-level data generated by the detection system includes real-time operation information of processes in the file or network dimension.

[0053] S2: Store the original audit log data into a database with a graph algorithm; the database with a graph algorithm includes a graph database, wherein nodes in the database represent entities, including processes, files (including PE files) and networks ;Relationships represent relationships between entities in this database.

[0054] Specifically, the method can store the original audit log data into a graph database or other databases with a graph structure. In this database, nodes can have their own attributes, such as the name of the process, startup paramete...

example 1

[0068] Example 1: The path P1->P2->P3->P4->P5 represents the creation process of a series of processes. The ancestor node of all nodes in this path is P1, so path correlation (P1, P5) = 1, indicating that the nodes of this path only contain one ancestor node. From the actual situation, P1 to P5 are in the information have a strong correlation.

example 2

[0069] Example 2: In the path P1->F1->P2->P3->F2->P4, P1 writes data to F1, P2 reads data from F1, then creates a child process P3, P3 writes the file F2, and F2 starts process P4. In this path, the ancestor nodes of each node are P1, P1, P2, P2, P2, P4 respectively, and the number of ancestor nodes (coverage) is 3, therefore, path correlation(P1,P4)=3 , indicating that the nodes of this path only contain three ancestor nodes. From the actual situation, the information correlation between P1 and P4 is relatively weak. If in the above example (path correlation(P0,F)<=path thres), path thres is set to 2, then the path correlation degree of the path is 3, which is greater than 2, indicating that the nodes in the path do not satisfy the TTP rule.

[0070] In addition, since there may be multiple paths between two nodes in the graph database, this method prefers the shortest path with key nodes. Key nodes mainly refer to files and networks operated by processes. The addition of ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The APT detection correlation analysis method based on the graph algorithm provided by the invention comprises the following steps: acquiring terminal user behavior data and kernel-level data generated by a detection system to obtain original audit log data; storing the original audit log data into a database with a graph algorithm; performing TTP rule matching on the original audit log data according to an ATT & CK knowledge base model to obtain an alarm event; and evaluating the strength of the dependency relationship between the alarm events by utilizing the path correlation degree, constructing an APT attack scene graph, and promoting the original audit log data to an APT attack step. According to the method, the APT activity is detected with high accuracy and low false alarm rate by analyzing the correlation between suspicious information flows of an attacker at an attack stage, so that the ongoing attack activity can be summarized and backtracked effectively in real time, the real-time network response activity is helped to be carried out, and the visualization of an attack scene is realized.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to an APT detection association analysis method based on a graph algorithm. Background technique [0002] Advanced persistent threat (Advanced Persistent Threat, APT) is an attack form that uses advanced attack methods to carry out long-term persistent network attacks on specific targets. The principle of APT attack is more advanced and advanced than other attack forms. Its advanced nature is mainly reflected in the fact that APT needs to accurately collect the business process and target system of the attack object before launching the attack. During the collection process, this attack will actively dig out the vulnerabilities of the trusted system and application of the attacked target, use these vulnerabilities to build the network required by the attacker, and use 0day vulnerabilities to attack. [0003] APT attacks are mainly carried out against import...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F16/901G06F16/2455G06F16/18
CPCG06F16/9024G06F16/24564G06F16/1815Y02D10/00
Inventor 郭景楠
Owner SHENZHEN LEAGSOFT TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com