[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106561024B - Enterprise-level-based remote APT detection method and high-performance server - Google Patents

Enterprise-level-based remote APT detection method and high-performance server Download PDF

Info

Publication number
CN106561024B
CN106561024B CN201510998978.6A CN201510998978A CN106561024B CN 106561024 B CN106561024 B CN 106561024B CN 201510998978 A CN201510998978 A CN 201510998978A CN 106561024 B CN106561024 B CN 106561024B
Authority
CN
China
Prior art keywords
enterprise
data
performance server
detected
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510998978.6A
Other languages
Chinese (zh)
Other versions
CN106561024A (en
Inventor
刘佳男
高喜宝
李柏松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Harbin Antian Science And Technology Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Antian Science And Technology Group Co ltd filed Critical Harbin Antian Science And Technology Group Co ltd
Priority to CN201510998978.6A priority Critical patent/CN106561024B/en
Publication of CN106561024A publication Critical patent/CN106561024A/en
Application granted granted Critical
Publication of CN106561024B publication Critical patent/CN106561024B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an enterprise-level-based remote APT detection method, which comprises the following steps: setting a high-performance server inside an enterprise; synchronizing data of equipment to be detected in an enterprise to the high-performance server; the high performance server detects the data and determines whether an APT attack event exists. The invention also discloses an enterprise-level-based remote APT detection high-performance server, which is arranged in an enterprise and comprises: the device comprises a data synchronization module and a detection judgment module. The technical scheme of the invention can avoid the problem that the traditional antivirus software is bypassed by an attacker, so that the APT attack event cannot be effectively detected and defended, and can effectively improve the detection capability of an enterprise on the APT event.

Description

Enterprise-level-based remote APT detection method and high-performance server
Technical Field
The invention relates to the technical field of information security, in particular to an enterprise-level-based remote APT detection method and a high-performance server.
Background
APT (Advanced Persistent thread) -an Advanced sustainable Threat. This is a form of long-term, persistent cyber attack on a particular target using advanced attack means. Since the APT attack is commonly used in political, commercial, military and the like attacks, the attack behavior is managed and planned for a long time and has high imperceptibility. The attack means of APT is to hide itself, steal data or destroy specific objects in a long-term, planned and organized manner, and this behavior of collecting and stealing data is called "cyber spy" behavior. Therefore, the APT attack is the most serious network attack behavior which directly threatens governments and enterprises.
For the detection and prevention of APT, the prior art uses a method of threat intelligence and security analyst participation, and the detection is carried out through feature code matching, heuristic behavior detection or a black-and-white list mechanism. This is not only inefficient, extremely wastes manpower and time, and the testing result is often inaccurate. In most cases, an attacker can perform killing-free processing on malicious codes aiming at the security products to prevent the detection of the security products, and can detect the installed security products in the system and perform bypassing processing.
Disclosure of Invention
Aiming at the technical problems, the technical scheme of the invention is that a high-performance server is arranged in an enterprise, and all devices to be detected in the enterprise are not installed with a soft component, but the data of all the devices to be detected are synchronized to the high-performance server; and the high-performance server judges whether suspicious attacks exist or not based on the synchronous data so as to judge whether APT attack events exist or not. The high-performance server is independent of each device to be detected, and the attacker cannot acquire relevant information of the high-performance server, so that the high-performance server can detect and protect each device to be detected in an enterprise conveniently.
The invention is realized by adopting the following method: an enterprise-level-based remote APT detection method comprises the following steps:
setting a high-performance server inside an enterprise;
synchronizing data of equipment to be detected in an enterprise to the high-performance server; wherein the data is selected as desired, including but not limited to: hash values of system disk information, process information, thread information, port information, service information or registry information;
the high performance server detects the data and determines whether an APT attack event exists.
Further, the high-performance server detects the data and determines whether an APT attack event exists as follows:
the high-performance server customizes a detection rule according to the type of the equipment to be detected;
the high-performance server detects the data to judge whether an APT attack event exists or not based on the detection rule;
wherein, the type of equipment to be detected includes: a work machine or a server, the server comprising: web servers or FTP servers.
Still further, the detection rule includes: system integrity checking, difference analysis, timing analysis, or digital signature.
In the method, the step of synchronizing the data of the device to be detected in the enterprise to the high-performance server comprises the following steps: and synchronizing the data of the equipment to be detected in the enterprise to the high-performance server based on a preset time interval or in real time.
The invention can be realized by adopting the following system: an enterprise-level-based remote APT detection high-performance server, provided inside an enterprise, comprising:
the data synchronization module is used for synchronizing the data of the equipment to be detected in the enterprise to the high-performance server; wherein the data is selected as desired, including but not limited to: hash values of system disk information, process information, thread information, port information, service information or registry information;
and the detection judging module is used for detecting the data synchronized by the data synchronizing module and judging whether an APT attack event exists or not.
Further, the detection determination module is specifically configured to:
customizing a detection rule according to the type of the equipment to be detected;
detecting the data based on the detection rule and judging whether an APT attack event exists or not;
wherein, the type of equipment to be detected includes: a work machine or a server, the server comprising: web servers or FTP servers.
Still further, the detection rule includes: system integrity checking, difference analysis, timing analysis, or digital signature.
In the high-performance server, the data synchronization module is specifically configured to: and synchronizing the data of the equipment to be detected in the enterprise to the high-performance server based on a preset time interval or in real time.
In summary, the invention provides an enterprise-level-based remote APT detection method, which includes firstly, setting a high-performance server inside an enterprise; synchronizing data of equipment to be detected in an enterprise to the high-performance server; the high performance server detects the data and determines whether an APT attack event exists. The invention also provides an enterprise-level-based remote APT detection high-performance server.
The beneficial effects are that: the technical scheme of the invention is different from the traditional checking and killing method, and antivirus software is not installed in each device to be detected in an enterprise, because an attacker can bypass the antivirus software, the device to be detected cannot be effectively detected and protected. According to the technical scheme, the high-performance server is erected in the enterprise and is independent from each device to be detected, so that an attacker cannot acquire relevant information of the high-performance device, an APT attack event can be detected more effectively, and the information security of the enterprise is better protected.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flowchart of an embodiment of a remote APT detection method based on enterprise level according to the present invention;
fig. 2 is a block diagram of an embodiment of a remote APT detection high-performance server according to the present invention.
Detailed Description
The present invention provides an enterprise-level-based remote APT detection method and an embodiment of a high-performance server, so that those skilled in the art can better understand the technical solutions in the embodiments of the present invention and make the above objects, features and advantages of the present invention more obvious and understandable, the following will explain the technical solutions in the present invention in detail with reference to the accompanying drawings:
the present invention first provides an embodiment of an enterprise-level-based remote APT detection method, as shown in fig. 1, including:
s101, setting a high-performance server inside an enterprise; the high-performance server is independent of other equipment to be detected;
s102, synchronizing data of equipment to be detected in an enterprise to the high-performance server; wherein the data is selected as required, including: hash values of system disk information, process information, thread information, port information, service information, or registry information, etc.;
s103, the high-performance server detects the data and judges whether an APT attack event exists.
Preferably, the detecting the data and determining whether there is an APT attack event by the high-performance server is:
the high-performance server customizes a detection rule according to the type of the equipment to be detected;
the high-performance server detects the data based on the detection rule and judges whether an APT attack event exists or not;
wherein, the type of equipment to be detected includes: a work machine or a server, the server comprising: web servers or FTP servers.
More preferably, the detection rule includes: system integrity checking, difference analysis, timing analysis, or digital signature.
Wherein the system integrity detection considers that the change of the system is mainly represented by the change of the file and the registry. Therefore, information composed of the file and the registry is 'snapshot' and synchronized to the high-performance server at different time points or before and after malicious code infection, and the high-performance server judges whether attack behaviors exist or not based on the information change composed of the file and the registry.
The difference analysis method starts from the analysis of the system abnormity, various types of malicious codes show certain abnormity in the aspects of the system process, port, thread, service, drive, registry, directory, file and the like according to the behaviors of trigger conditions, attack modes, anti-killing means, propagation ways and the like, and whether the attack behaviors exist can be judged according to the change of synchronous data before and after the abnormity.
The time sequence analysis method considers that the malicious codes have time attributes, namely, certain time sequence correlation is formed among files of the malicious codes. This timing can be used to detect the presence of an attack.
The digital signature method judges the integrity of the file and the identity of the signer by verifying the digital signature of the file. Many files of the Windows operating system have microsoft's digital signature, while files other than microsoft cannot have microsoft's digital signature; and performing information correspondence on a common program with a digital signature, namely, the program name corresponds to the digital signature, and if the program name corresponds to the digital signature, the program is abnormal or suspicious. According to a similar method, system files with digital signatures, common applications, suspicious files can be easily distinguished.
For example: the type of the equipment to be detected is a web server, the web server generally has changes except web directory files, and other files do not have changes at ordinary times, so that the high-performance server customizes detection rules according to the characteristics of the web server, can select a system integrity check method to detect synchronous data, judges whether changes of suspicious files exist or whether PE files exist or whether active external connection behaviors exist, further filters external connected URLs by using a white list, and further improves the judgment accuracy.
If the type of the device to be detected is an FTP server, a difference analysis method can be selected to pay attention to the directory change according to the working characteristics of the FTP server, and then whether suspicious operation exists or not is judged.
If the type of the equipment to be detected is a common working machine, the hash of a working machine system disk file can be synchronized to the high-performance server, and whether suspicious operation exists or not is judged through the change before and after detection.
In the embodiment of the method, the step of synchronizing the data of the device to be detected in the enterprise to the high-performance server comprises the following steps: and synchronizing the data of the equipment to be detected in the enterprise to the high-performance server based on a preset time interval or in real time.
The present invention further provides an embodiment of an enterprise-level-based remote APT detection high-performance server, as shown in fig. 2, where the high-performance server is disposed inside an enterprise, and includes:
the data synchronization module 201 is used for synchronizing data of the equipment to be detected in the enterprise to the high-performance server;
a detection and determination module 202, configured to detect data synchronized by the data synchronization module 201 and determine whether an APT attack event exists.
Preferably, the detection determining module is specifically configured to:
customizing a detection rule according to the type of the equipment to be detected;
detecting the data based on the detection rule and judging whether an APT attack event exists or not;
wherein, the type of equipment to be detected includes: a work machine or a server, the server comprising: web servers or FTP servers.
More preferably, the detection rule includes: system integrity checking, difference analysis, timing analysis, or digital signature.
In the embodiment of the high-performance server, the data synchronization module is specifically configured to: and synchronizing the data of the equipment to be detected in the enterprise to the high-performance server based on a preset time interval or in real time.
The embodiments are described in a progressive manner, and the same or similar parts in the various embodiments can be referred to each other, and each embodiment focuses on differences from the other embodiments. The method embodiment and the high-performance server embodiment can participate in the related places.
As described above, the embodiments above provide an enterprise-level-based remote APT detection method and an embodiment of a high-performance server, where a high-performance server is built inside an enterprise, key data of all devices to be detected inside the enterprise are synchronized to the high-performance server, and whether an APT attack event exists inside the enterprise is determined by comparing previous and subsequent data or selecting or customizing a detection rule based on the type of each device to be detected.
In summary, the embodiment described above separately sets a high-performance server, thereby preventing an attacker from perceiving the high-performance server and then performing some countermeasure operations; the high-performance server can communicate with all devices in the enterprise, receive data synchronized by all devices to be detected in the enterprise, and judge whether suspicious attack events exist or not based on the synchronized data; more preferably, the embodiment of the invention can customize the detection rule according to the type and the characteristics of each device to be detected, so that the APT attack event can be more effectively identified. The technical scheme of the invention is different from a detection method of uploading cloud, and the invention only has a one-way operation behavior, namely, the data of the equipment to be detected is synchronized to the high-performance server, and the data feedback or software updating operation and the like of the equipment to be detected are not carried out.
The above examples are intended to illustrate but not to limit the technical solutions of the present invention. Any modification or partial replacement without departing from the spirit and scope of the present invention should be covered in the claims of the present invention.

Claims (8)

1. An enterprise-level-based remote APT detection method is characterized by comprising the following steps:
setting a high-performance server inside an enterprise;
synchronizing data of equipment to be detected in an enterprise to the high-performance server; wherein the data is selected as desired, including but not limited to: hash values of system disk information, process information, thread information, port information, service information or registry information;
the high performance server detects the data and determines whether an APT attack event exists.
2. The method of claim 1, wherein the high performance server detecting the data and determining whether an APT attack event exists is:
the high-performance server customizes a detection rule according to the type of the equipment to be detected;
the high-performance server detects the data based on the detection rule and judges whether an APT attack event exists or not;
wherein, the type of equipment to be detected includes: a work machine or a server, the server comprising: web servers or FTP servers.
3. The method of claim 2, wherein the detection rule comprises: system integrity checking, difference analysis, timing analysis, or digital signature.
4. The method according to any one of claims 1 to 3, wherein the step of synchronizing the data of the device to be detected inside the enterprise to the high-performance server comprises the following steps: and synchronizing the data of the equipment to be detected in the enterprise to the high-performance server based on a preset time interval or in real time.
5. An enterprise-level-based remote APT detection high-performance server, disposed inside an enterprise, comprising:
the data synchronization module is used for synchronizing the data of the equipment to be detected in the enterprise to the high-performance server; wherein the data is selected as desired, including but not limited to: hash values of system disk information, process information, thread information, port information, service information or registry information;
and the detection judging module is used for detecting the data synchronized by the data synchronizing module and judging whether an APT attack event exists or not.
6. The high-performance server according to claim 5, wherein the detection determination module is specifically configured to:
customizing a detection rule according to the type of the equipment to be detected;
detecting the data based on the detection rule and judging whether an APT attack event exists or not;
wherein, the type of equipment to be detected includes: a work machine or a server, the server comprising: web servers or FTP servers.
7. The high-performance server of claim 6, wherein the detection rule comprises: system integrity checking, difference analysis, timing analysis, or digital signature.
8. The high-performance server according to any one of claims 5 to 7, wherein the data synchronization module is specifically configured to: and synchronizing the data of the equipment to be detected in the enterprise to the high-performance server based on a preset time interval or in real time.
CN201510998978.6A 2015-12-28 2015-12-28 Enterprise-level-based remote APT detection method and high-performance server Active CN106561024B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510998978.6A CN106561024B (en) 2015-12-28 2015-12-28 Enterprise-level-based remote APT detection method and high-performance server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510998978.6A CN106561024B (en) 2015-12-28 2015-12-28 Enterprise-level-based remote APT detection method and high-performance server

Publications (2)

Publication Number Publication Date
CN106561024A CN106561024A (en) 2017-04-12
CN106561024B true CN106561024B (en) 2020-05-19

Family

ID=58485464

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510998978.6A Active CN106561024B (en) 2015-12-28 2015-12-28 Enterprise-level-based remote APT detection method and high-performance server

Country Status (1)

Country Link
CN (1) CN106561024B (en)

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707632A (en) * 2009-10-28 2010-05-12 浪潮电子信息产业股份有限公司 Method for dynamically monitoring performance of server cluster and alarming real-timely
US8677487B2 (en) * 2011-10-18 2014-03-18 Mcafee, Inc. System and method for detecting a malicious command and control channel
CN103532780B (en) * 2013-10-11 2017-09-22 北京有度致远信息科技股份有限公司 O&M for IT field monitors integral system and integrated monitoring method
CN103634306B (en) * 2013-11-18 2017-09-15 北京奇虎科技有限公司 The safety detection method and safety detection server of network data

Also Published As

Publication number Publication date
CN106561024A (en) 2017-04-12

Similar Documents

Publication Publication Date Title
US10264104B2 (en) Systems and methods for malicious code detection accuracy assurance
Javaheri et al. Detection and elimination of spyware and ransomware by intercepting kernel-level system routines
US10095866B2 (en) System and method for threat risk scoring of security threats
KR101057432B1 (en) System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process
CN107659583B (en) Method and system for detecting attack in fact
CN106687971B (en) Automatic code locking to reduce attack surface of software
US8793682B2 (en) Methods, systems, and computer program products for controlling software application installations
CN105024976B (en) A kind of advanced constant threat attack recognition method and device
RU2726032C2 (en) Systems and methods for detecting malicious programs with a domain generation algorithm (dga)
EP3374870B1 (en) Threat risk scoring of security threats
US9961093B1 (en) Monitoring for reverse-connection network activity to detect a remote-administration tool
CN111565202B (en) Intranet vulnerability attack defense method and related device
KR101697189B1 (en) System and Method for Cyber Attack History Tracking based on Scenario
CN105791250B (en) Application program detection method and device
US20050086512A1 (en) Worm blocking system and method using hardware-based pattern matching
KR20110131627A (en) Apparatus for detecting malicious code using structure and characteristic of file, and terminal thereof
CN106561024B (en) Enterprise-level-based remote APT detection method and high-performance server
KR102211846B1 (en) Ransomware detection system and operating method thereof
EP3252645B1 (en) System and method of detecting malicious computer systems
TWI711939B (en) Systems and methods for malicious code detection
KR101283440B1 (en) System for block off a data spill using booby trap signature and method thereof
CN108737358B (en) Update protection system for fixed environment and update protection method thereof
CN115720150A (en) RASP-based WAF linkage protection method, device, equipment and medium
CN114969739A (en) Network attack traceability analysis method and system based on timeline
Aucsmith Rethinking Cyber Defense

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Applicant after: Harbin antiy Technology Group Limited by Share Ltd

Address before: 506 room 162, Hongqi Avenue, Nangang District, Harbin Development Zone, Heilongjiang, 150090

Applicant before: Harbin Antiy Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Patentee after: Antan Technology Group Co.,Ltd.

Address before: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin High-tech Industrial Development Zone, Heilongjiang Province (838 Shikun Road)

Patentee before: Harbin Antian Science and Technology Group Co.,Ltd.