APT attack identification and defense method

An attack identification and algorithm technology, which is applied in neural learning methods, special data processing applications, biological neural network models, etc., can solve the problems of lack of reliable and practical APT attack identification and defense methods, and achieve accurate and consistent file content. The effect of content retention

Active Publication Date: 2020-11-17
上海境领信息科技有限公司
View PDF7 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] Reliable and practical APT attack identification and defense methods are still lacking in the prior art

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • APT attack identification and defense method
  • APT attack identification and defense method
  • APT attack identification and defense method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0055] Such as figure 1 As shown, the APT attack identification and defense method of the present embodiment includes the following steps:

[0056] Step 1. Obtain network and system logs to identify APT attack behavior;

[0057] In this embodiment, the specific process of obtaining the network and system logs described in step 1 and identifying the APT attack behavior is as follows:

[0058] Step 1A1, collect network and system logs, obtain network link log records through network logs, obtain the domain name of relevant information data from network and system logs through dns logs, and then query its source IP address, for the visit of a specific IP address, dns The log parses its source IP address, including access parameters, access content and return data from the dns server;

[0059] Step 1A2, log mining based on DBSCAN cluster analysis, find out the log of abnormal operation, and identify it as an APT attack behavior; the specific process is:

[0060] Step 1A21, sett...

Embodiment 2

[0100] Such as figure 2 As shown, the present embodiment is different from Embodiment 1 in that: after the false same-type file is produced in step 4, a false file label is also inserted into the false same-type file; after step 4, step 5 is also included, After that, delete the fake file.

[0101] After creating a false file of the same type in step 4, the specific method of inserting a false file label into the false file of the same type is: extracting the file name, and extracting the data of a specific part of the file content, synthesizing it into a new text, and obtaining the The hash value of the text, and then store the hash value and the address of the file in the false file identification database (that is, the database stores the specific address and specific content of the false file), and the data of the specific part includes the first 234 to 243 character data.

[0102] The above method of inserting false file tags and the method of synthesizing new text can...

Embodiment 3

[0107] The difference between this embodiment and Embodiment 1 is: the specific process of obtaining the network and system logs described in step 1 and identifying the APT attack behavior is as follows:

[0108] Step 1B1, acquiring user behavior characteristics;

[0109] During specific implementation, the acquisition of user behavior features described in step 1B1 is to perform one-hot word vector feature extraction on user behavior operations affecting the number of files, whether they are system files, whether they are confidential files, and whether they modify permissions. The one-hot word vector uses a 128-dimensional word vector for feature extraction. The user's behavior characteristics carry the security level information of the operation behavior. The security level information of the operation behavior includes the number of files affected by the operation, whether it is a system file, whether it is a confidential file, and whether it has modification authority. Ba...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an APT attack identification and defense method. The method comprises the following steps: 1, acquiring network and system logs, and identifying APT attack behaviors; 2, miningan attack subject based on the weblog, and determining attack subjects of different targets; 3, counting the attack timelines of the attack subjects of different targets, and predicting the next attack time of the attack subjects of different targets; and 4, acquiring attack file types expected by the attack subjects of different targets, manufacturing false files of the same type, and providingthe files to an APT attacker according to the predicted next attack time of the attack subjects of the different targets so as to perform APT attack defense. According to the method, the APT attack can be identified, the attack subjects of the APT attack can be mined, the attack timelines can be predicted, a large number of error files can be automatically generated and tampered for mixed audiovisual operation, the error files can be automatically deleted after the attack timelines, the file content information can be recovered, and the problem of the APT attack can be fundamentally solved.

Description

technical field [0001] The invention belongs to the technical field of computer network security, and in particular relates to an APT attack identification and defense method. Background technique [0002] At present, state agencies or large companies often encounter APT attacks. The purpose of this attack is to steal high-value confidential information or some internal product information, etc. Its attack source sometimes does not come from only one attack subject, because The destruction of important institutions has a high interest demand, and many institutions will have the motivation of APT attacks. For example, there are as many as 13 attack organizations publicly available internationally, and each attack source has its own target. Therefore, how to distinguish multiple attack sources and protect the corresponding internal file content according to different attack sources Security has become an important research direction. [0003] In the existing technology, the ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06F16/35G06N3/04G06N3/08
CPCH04L63/1416H04L63/1458H04L63/1466G06F16/35G06N3/08G06N3/045
Inventor 施勇傅烨文刘宁何翔
Owner 上海境领信息科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap