CN108200053A - Record the method and device of APT attack operations - Google Patents
Record the method and device of APT attack operations Download PDFInfo
- Publication number
- CN108200053A CN108200053A CN201711485306.0A CN201711485306A CN108200053A CN 108200053 A CN108200053 A CN 108200053A CN 201711485306 A CN201711485306 A CN 201711485306A CN 108200053 A CN108200053 A CN 108200053A
- Authority
- CN
- China
- Prior art keywords
- apt
- track datas
- data
- relevant
- track
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a kind of method and device for recording APT attack operations, is related to field of communication security, fully and effectively APT attack operations can be recorded, promote the safety of user data.This method includes:When process initiation, obtain and include attacking relevant User space data and kernel state data with APT with the relevant APT track datas of process, APT track datas;Record APT track datas.
Description
Technical field
This application involves field of communication security more particularly to a kind of method and devices for recording APT attack operations.
Background technology
Advanced duration threatens (Advanced Persistent Threat, APT) to refer to utilize certain technological means pair
Specific objective carries out long duration network attack.Relative to other attack forms, the latent time of APT attacks is longer, steals
Data volume bigger, the safety for leading to user data is relatively low.
It is invaded in common attacker, user can be by installing illegally entering for antivirus software intercept attack person
It invades, still, in a kind of scene of APT attacks, attacker obtains particular terminal by collecting the partial data of particular terminal
Then logging on authentication or login password steal the data needed for attacker by legal software with the logging on authentication obtained,
In this scene, antivirus software can not effectively record the operation of legal software, also just can not back jump tracking particular terminal attacked
The root hit also can not just be directed to attack and carry out corresponding defensive measure, cause Information Security relatively low.
Invention content
The application provides a kind of method and device for recording APT attack operations, can comprehensively record APT attack operation phases
The data of pass promote the safety of data.
In order to achieve the above objectives, the application adopts the following technical scheme that:
In a first aspect, the application provides a kind of method for recording APT attack operations, the method includes:
When process initiation, obtain and include and institute with the relevant APT track datas of the process, the APT track datas
It states APT and attacks relevant User space data and kernel state data;Record the APT track datas.
Second aspect, the application provide a kind of device for storing telecom number, which includes:Acquisition module and record mould
Block.Wherein, acquisition module, for when process initiation, obtaining and the relevant APT track datas of the process, the APT tracks
Data include attacking relevant User space data and kernel state data with the APT;Logging modle, for recording the APT rails
Mark data.
The third aspect, the application provide a kind of device for storing telecom number, which includes:Processor, transceiver and
Memory.Wherein, memory is used to store one or more programs.The one or more program includes computer executed instructions,
When device is run, processor perform the memory storage the computer executed instructions so that device perform first aspect and
In its various optional realization method it is one of arbitrary described in storage telecom number method.
Fourth aspect, the application provide a kind of computer readable storage medium, are stored in computer readable storage medium
Instruction, when device performs the instruction, the device perform in above-mentioned first aspect and its various optional realization methods it is arbitrary it
Storage telecom number method described in one.
With in the prior art, attacker to terminal carry out invasion scene in, antivirus software can not effectively record APT and attack
The operation hit is compared, the application provide record APT attack operations method and device, when process initiation, using the process as
Dimension obtains kernel state related to the process and relevant with APT attack operations and User space data, and records above-mentioned kernel
State data and User space data.As it can be seen that when attacker calls the process in terminal to carry out APT attacks to terminal, and to terminal
When carrying out illegal operation, in this application, the illegal operation of User space can either be recorded, and can be to the non-of kernel state
Method operation is recorded, and can more comprehensively record the attack operation track of attacker, can be with so as in follow-up process
Attack source is determined, and take corresponding defensive measure to APT attacks according to APT attack operations track, promotes the safety of data
Property.
Description of the drawings
Fig. 1 is communication system architecture schematic diagram provided by the embodiments of the present application;
Fig. 2 is the composition schematic diagram of communication system provided by the embodiments of the present application;
Fig. 3 is the flow diagram of record APT attack operation methods provided by the embodiments of the present application;
Fig. 4 is the schematic diagram of event tree provided by the embodiments of the present application;
Fig. 5 is the structure diagram of record APT attack operation devices provided by the embodiments of the present application;
Fig. 6 is the structure diagram of record APT attack operation devices provided by the embodiments of the present application.
Specific embodiment
The method and device of record APT attack operations provided by the embodiments of the present application is carried out in detail below in conjunction with the accompanying drawings
Description.
The terms "and/or", only a kind of incidence relation for describing affiliated partner, expression may have three kinds of passes
System, for example, A and/or B, can represent:Individualism A exists simultaneously A and B, these three situations of individualism B.
In addition, the term " comprising " and " having " being previously mentioned in the description of the present application and their any deformation, it is intended that
It is to cover non-exclusive include.Such as process, method, system, product or the equipment for containing series of steps or unit do not have
The step of having listed or unit are defined in, but optionally further includes the step of other are not listed or unit or optionally
It further includes for the intrinsic other steps of these processes, method, product or equipment or unit.
It should be noted that in the embodiment of the present application, " illustrative " or " such as " etc. words for representing to make example, example
Card or explanation.Be described as in the embodiment of the present application " illustrative " or " such as " any embodiment or designing scheme should
It is interpreted than other embodiments or designing scheme more preferably or more advantage.Specifically, " illustrative " or " example are used
Such as " word is intended to that related notion is presented in specific ways.
In the description of the present application, unless otherwise indicated, the meaning of " multiple " refers to two or more.
The method of record APT attack operations provided by the embodiments of the present application can be applied in communication network shown in FIG. 1.
As shown in Figure 1, the communication network can include:Terminal and server-side.Wherein, the terminal setting User space hook program in Fig. 1
With kernel state hook program, User space hook program obtains the APT track datas of User space, and kernel state hook program obtains kernel
The APT track datas of state;Server-side obtains the APT track datas in each terminal, and carries out APT according to APT track datas and trace back
The attack pattern of attacker so that it is determined that initiating the equipment of APT attacks, and is grasped, in order to subsequently APT be prevented to attack in source.
It should be noted that Fig. 1 is merely illustrative Organization Chart, in addition to functional unit shown in Fig. 1, the network architecture is also
It can include other functional units, the embodiment of the present application is to this without limiting.
Above-mentioned terminal can be user equipment (user equipment, UE), such as:Mobile phone, computer can also be honeycomb electricity
Words, wireless phone, Session initiation Protocol (session initiation protocol, SIP) phone, smart phone, a number
Word assistant (personal digital assistant, PDA), laptop computer, hand-held communication device, hand-held calculate
Equipment etc..
Fig. 2 is the composition schematic diagram of communication system provided by the embodiments of the present application.Referring to Fig. 2, the service in communication system
End includes communication interface and server-side interface 2001, and user is inputted by server-side interface 2001 and instructed, and instruction is connect by communication
Mouth 2002 is issued to terminal.Condition code can also be issued in terminal by server-side by communication interface 2002, and this feature code is used
APT attacks are found in matching.Server-side can also issue APT Management strategies by communication interface 2002 to terminal, and APT administers plan
Slightly attacked for subsequently prevention APT.
Wherein, attacker calls terminal processes to perform some illegal operations, when process 2101 in terminal by remote control
During startup, kernel behavior callback interface 2203 is sent out respectively to User space hook manager 2201 and kernel state hook manager 2202
Process creation is sent to notify so that User space hook manager 2201 sets User space hook program, kernel state hook for the process
Manager 2202 sets kernel state hook program for the process.Later, the APT tracks number of User space hook program acquisition User space
According to, and data are reported to User space hook manager 2201, User space hook manager 2201 makes the type of the data
Judge, if the data type reported belongs to the data type included in white list, User space hook manager 2201 is logical
It crosses communication interface 2204 and sends the data to data record unit 2106, which is stored in by the data record unit 2106
In database.Similarly, kernel state hook program can also be by communication interface 2204 into the transmission of data record unit 2106
Core state
APT track datas.
It threatens after finding that engine 2105 gets the condition code that server-side issues, the APT rails stored in scan database
Mark data, however, it is determined that condition code and the characteristic matching of the APT track datas of storage, it is determined that APT track datas are attacked from APT
The person of hitting.
After threatening and finding that engine 2105 determines that the terminal is attacked by APT, threaten find engine 2105 to
It administers engine 2103 and sends notice, further prevented with the APT Management strategies that instruction improvement engine 2103 is issued according to server-side
APT is attacked.
The embodiment of the present application provides a kind of method for recording APT attack operations, as shown in figure 3, this method can include
S301-S304:
S301, when process initiation, terminal obtain with the relevant APT track datas of process.
Wherein, APT track datas include attacking relevant User space data and kernel state data with APT.
When attacker is by remote control, start the process in terminal come when realizing illegal operation, the kernel behavior in Fig. 2
Callback interface 2203 monitors process initiation, and the User space hook manager 2201 into terminal sends process creation notice,
To indicate that User space hook manager 2201 sets User space hook program, similarly, kernel behavior callback interface for the process
2203 send process creation notice to kernel state hook manager 2202, to indicate that kernel state hook manager 2202 is set for process
Put kernel state hook program.
Specifically, in S301, the APT track datas of the relevant User space of the process are obtained by User space hook program, by
Kernel state hook program obtains the APT track datas of the relevant kernel state of process.For example, attacker calls the process 1 in terminal,
Then by calling the process 1, attacker has accessed the file 1 in terminal, then the APT tracks number that kernel state hook program obtains
According to the file identification that can be attacker's access, i.e. file 1, the APT track datas that User space hook program obtains can be to attack
The device network interconnection agreement (Internet Protocol, IP) that the person of hitting uses.
Wherein, kernel state hook program obtains master data, and master data includes but is not limited to file operation related data,
User space hook program obtains other data except master data.For example, when attacker carries out long-range APT attacks, attack
Person is remotely read in user terminal by equipment and (in order to describe simplicity, will suffer from the validated user of APT attacks below with user
Referred to as user) the relevant file 1 of identity and working document relevant with user's position 2, then kernel state hook program obtain it
In the relevant operation data of file, that is, get the read file identification of attacker, file 1 and file 2, User space hook
Program can obtain the address information of attacker's equipment and local transmission control protocol (Transmission Control
Protocol, TCP) connection data.The type of master data listed above is only to illustrate, and the type of specific master data can
It is set according to practical application scene, the embodiment of the present application is not limited this.
It is worth noting that, in the prior art, it is generally the case that kernel state is very sensitive, if operating in the journey of kernel state
When sequence is more or program in kernel state is pending event, message are more, it is likely that operating system can be caused to collapse.
In view of this work characteristics of kernel state, in the embodiment of the present application, it is operated in the kernel state hook program of kernel state only
For obtaining master data, the realization method of kernel state hook program is simplified, mitigates kernel state when it runs in kernel mode inside
Pressure, and then reduce the complex logic operation of kernel state and the process of parameter acquiring so that operating system is smooth, is promoted
The performance of terminal.
S302, terminal record APT track datas.
Specifically, S302 can be implemented as:
S3021, terminal judge whether the APT track datas obtained are preset kind data, preset kind data include with
It is any one of lower or multinomial:The relevant data of file operation, the relevant data of registration table, the relevant data of TCP connection and domain name system
System (Domain Name System, DNS) inquires relevant data;If so, perform S3022.
Wherein, TCP connection related data and DNS query related data are used to trace the address of attacker.
S3022, terminal record APT track datas.
It is emphasized that since the APT track datas that User space hook program and kernel state hook program obtain are more,
And wherein there are the smaller data of the degree of association attacked with APT, for example, User space hook program is got in this APT attacks,
The relevant data of local TCP connection in terminal, since local TCP connection is usually unrelated with APT attacks, so, it can not be to phase
Data are closed to be stored.Based on this, white list can be set, the data type in white list includes registration table in terminal
Related data, file operation related data, the addressing related data of attacker, the account of attacker, the relevant data of TCP connection
With DNS query related data etc., and the data of listed type and the degree of association that APT is attacked are larger in white list.With reference to
The example above, it is assumed that the APT track datas that terminal is got include:The relevant data of file read-write, the address information of attacker
With the data of local TCP connection, since the data of local TCP connection are not the preset kind data that are included in white list,
Illustrate the smaller data and the degree of association that APT is attacked or the data and APT attacks and onrelevant, i.e., it can not by the data
It completes APT to trace to the source, therefore, in order to mitigate the storage burden of terminal, it is related that terminal only stores file read-write in above-mentioned acquisition data
Data and attacker network address information.
Wherein, terminal stores APT track datas into database.Or in order to promote the read-write of APT track datas speed
Degree, terminal stores APT track datas using caching technology, for example, remote date transmission (Remote may be used in terminal
Dictionary Server, Redis) caching technology storage APT track datas.
Specifically, for the execution flow of S302 referring to Fig. 2, User space hook program intercepts long-range attack person (i.e. attacker)
APT track datas after, to User space hook manager 2201 send intercept APT track datas, by User space hook pipe
Reason device 2201 judges whether APT track datas are the preset kind data included in white list, if so, User space hook
Manager 2201 sends the APT track datas, then by data records list by communication interface 2204 to data record unit 2106
Member 2106 stores the APT track datas.Similarly, the APT track datas of kernel state can also be held by data record unit 2106
The above-mentioned storage operation of row.
Optionally, above-mentioned S3022, record APT track datas can be implemented as:
APT track datas are converted into the data of event tree format by S3022a, terminal.
In attacker opens scene of the terminal processes to attack terminal by remote operation, if exist in terminal threaten into
The reason of journey, then terminal can cause to threaten by searching for the parent process of the process of threat to trace to the source, that is, event tree mode is taken
Record leads to the chain threatened, as shown in figure 4, the upper level parent process that terminal finds out process a.vbs and Auto run is
The reason of parent process of a.exe, a.exe are svsHost, then svsHost can be determined as causing to threaten by terminal for the time being, goes forward side by side
Row is further to threaten reason to determine to operate.
The APT track datas of S3022b, terminal record event tree format.
Record the APT track datas of event tree format as shown in Figure 4.
In the embodiment of the present application, server-side sends the condition code for matching APT attacks to terminal in advance, when in terminal
It is stored with after above-mentioned APT track datas, terminal obtains the condition code of APT track datas, if condition code includes default feature
Code then sends alarm information to server-side, wherein, alarm information carries APT track datas.Wherein, it is APT to preset condition code
The characteristic behavior code that attack operation has.For example, if in a kind of APT attacks, the process A in terminal is usually called to hold
Row file read-write operations, then can be using calling process A as default condition code.It is understood that as the spy of APT track datas
When levying code comprising default condition code, illustrate that the remote operation corresponding to APT track datas also has invoked process A, at this point, terminal is temporary
And using the corresponding remote operation of APT track datas as operation is threatened, and alarm information is sent to server-side, so that server-side
Further determine that whether the remote operation is APT attack operations.
In the embodiment of the present application, server-side can also actively initiate inquiry instruction, and terminal responds the inquiry instruction, and inquiry is worked as
The APT track datas of preceding storage, and corresponding feedback is sent to server-side, so that server-side determines the initiation in APT attacks
Method, apparatus and APT attack patterns specifically, can perform S303 and S304.
S303, terminal receive the inquiry instruction of server-side, and inquiry instruction carries the attribute information of APT attacks.
It is assumed that when initial, terminal 1 of the server-side into such as Fig. 1 sends APT inquiry instructions in enterprise, and terminal 1 is to server-side
APT track datas are fed back, which indicates certain equipment by remote operation login account 1, and accesses the user stored in terminal 1
Identification document and user job file.After this, equipment is by more than 1 Telnet terminal 1 of account, also, uses account 1
The device address of registration terminal 1 is not the commonly used equipment address of the enterprise, this explanation is likely to attacker and steals and use
The legal account 1 of user, in this scene, server-side is for the time being using account 1 as abnormal account.
It is understood that the mode of above-mentioned determining abnormal account is only to illustrate, the specific mode for determining abnormal account
It can be set according to practical application scene, the embodiment of the present application is not limited this.
After determining exception account 1, server-side can send inquiry instruction to the other-end in enterprise, wherein, inquiry
Instruction includes the attribute information of APT attackers.Optionally, which can be above-mentioned abnormal account 1.
S304, terminal if it is determined that in the presence of with the relevant APT track datas of attribute information, then to server-side send with attribute believe
Relevant APT track datas are ceased, so that server-side determines that initiating APT attacks according to the relevant APT track datas of attribute information
The equipment hit
It is assumed that in system as shown in Figure 1, terminal 1 to terminal 5 the inquiry instruction for receiving server-side transmission it
Afterwards, terminal 1 determines that exception account 1 once accessed itself, then terminal 1 is sent out to server-side by inquiring the APT track datas stored
It send and the relevant APT track datas of abnormal account;Terminal 2 determines exception account 1 not by inquiring the APT track datas stored
Itself was accessed, then terminal 2 can not make a response the inquiry instruction;The APT track datas that terminal 3 is stored by inquiry,
Determine that exception account 1 once accessed itself, then terminal 3 is sent and the relevant APT track datas of abnormal account to server-side;Terminal
4, by inquiring the APT track datas stored, determine that exception account 1 has not visited itself, then terminal 4 can be to the inquiry instruction
It does not make a response;Terminal 5 determines that exception account 1 has not visited itself, then terminal 5 can by inquiring the APT track datas stored
Not made a response to the inquiry instruction.
Server-side receives the APT track datas of terminal 1, terminal 3, the abnormal account 1 of APT track datas instruction of terminal 1
Once terminal 1 is accessed, and abnormal account 1 has read the bank data file of terminal 1, the login IP of abnormal account 1 is
192.168.1.23;The abnormal account 1 of APT track datas instruction of terminal 3 once accesses terminal 3, and abnormal account 1 equally has read
The bank data file of terminal 3, the login IP of abnormal account 1 is 192.168.1.23.So server-side is according to terminal 1, terminal
3 APT track datas determine that under fire terminal is terminal 1 and terminal 3, and the operation that attacker performs is reads bank data text
Part, and attacker's device IP is 192.168.1.23.So far, server-side determines the firing area of APT attacks, i.e. 1 He of terminal
Terminal 3, the attack means of APT attacks, that is, read bank data file and attacker's device IP, i.e. 192.168.1.23.
It traces to the source it is understood that performing above-mentioned APT in server-side, that is, determines the firing area of attacker, attacker
Before the flow of attack means and attacker's device IP, server-side can issue interception or place by communication interface 2002 to terminal
Manage the APT Management strategies of APT attacks.And then trace to the source completing APT, that is, find under fire terminal and APT attack means it
Afterwards, server-side can intercept according to APT Management strategies and handle APT attacks.Specifically, server-side by communication interface 2002 to
The improvement engine 2103 of terminal issues APT Management strategies, then APT Management strategies are issued to User space hook by improvement engine 2103
Subprogram, kernel state hook program, User space hook manager 2201 and kernel state hook manager 2202.And then in terminal
User space hook program, kernel state hook program, User space hook manager 2201,2202 basis of kernel state hook manager
APT Management strategies cut off the connection with attacker or take other modes that further APT is prevented to attack.
With in the prior art, attacker to terminal carry out invasion scene in, antivirus software can not effectively record APT and attack
The operation hit is compared, the application provide record APT attack operations method and device, when process initiation, using the process as
Dimension obtains kernel state related to the process and relevant with APT attack operations and User space data, and records above-mentioned kernel
State data and User space data.As it can be seen that when attacker calls the process in terminal to carry out APT attacks to terminal, and to terminal
When carrying out illegal operation, in this application, the illegal operation of User space can either be recorded, and can be to the non-of kernel state
Method operation is recorded, and can more comprehensively record the attack operation track of attacker, can be with so as in follow-up process
Attack source is determined, and take corresponding defensive measure to APT attacks according to APT attack operations track, promotes the safety of data
Property.
The method of the embodiment of the present application is illustrated below in conjunction with concrete application scene.
In an APT is attacked, attacker obtains the account of enterprise staff, and penetrates into the Intranet of enterprise, later,
Attacker performs long-range strike order, and steal the data of enterprise by the legal account of acquisition.With reference to above-mentioned determining exception
The method of account when server-side finds to have abnormal account, can send inquiry instruction to each terminal, pass through each terminal
The APT track datas of feedback, server-side can determine the terminal that abnormal account accessed, and determine which abnormal account accessed
Terminal, abnormal account access which content of terminal and the login IP of abnormal account, and then obtain the attack of entire APT attacks
Track.
The embodiment of the present application can carry out function module or functional unit according to above method example to above device
It divides, for example, can correspond to each function divides each function module or functional unit, it can also be by two or more
Function be integrated in a processing module.The form that hardware had both may be used in above-mentioned integrated module is realized, can also be used
The form of software function module or functional unit is realized.Wherein, it is to the division of module or unit in the embodiment of the present application
Schematically, only a kind of division of logic function, can there is other dividing mode in actual implementation.
Fig. 5 shows a kind of possible structure diagram of device involved in above-described embodiment.The device 50 includes
Receiving module 501, sending module 502, acquisition module 503, judgment module 504 and logging modle 505.
Wherein, acquisition module 503, for when process initiation, obtaining and the relevant APT track datas of process, APT tracks
Data include attacking relevant User space data and kernel state data with APT;
Logging modle 505, for recording APT track datas.
In another realization method of the embodiment of the present application, judgment module 504 is additionally operable to the APT tracks for judging to obtain
Whether data are preset kind data, and preset kind data include any one of following or multinomial:The relevant data of file operation, note
The relevant data of volume table, the relevant data of TCP connection and the relevant data of DNS query;
Logging modle 505, be additionally operable to if it is determined that the APT track datas obtained be preset kind data, then record APT tracks
Data.
In another realization method of the embodiment of the present application, logging modle 505, specifically for APT track datas are turned
Turn to the data of event tree format;The APT track datas of record event tree format.
In another realization method of the embodiment of the present application, acquisition module 503 is additionally operable to obtain APT track datas
Condition code;
Sending module 502 if including default condition code for condition code, sends alarm information, alarm disappears to server-side
Breath carries APT track datas.
In another realization method of the embodiment of the present application, receiving module 501, the inquiry for receiving server-side refers to
It enables, inquiry instruction carries the attribute information of APT attacks;
Sending module 502, be additionally operable to if it is determined that in the presence of with the relevant APT track datas of attribute information, then to server-side send out
Send with the relevant APT track datas of attribute information so that server-side is determined according to the relevant APT track datas of attribute information
The equipment for initiating APT attacks.
With in the prior art, attacker to terminal carry out invasion scene in, antivirus software can not effectively record APT and attack
The operation hit is compared, and the device of record APT attack operations that the application provides when process initiation, using the process as dimension, obtains
Kernel state related to the process and relevant with APT attack operations and User space data are taken, and record above-mentioned kernel state data
With User space data.As it can be seen that when attacker calls the process in terminal to carry out APT attacks to terminal, and terminal is carried out non-
When method operates, in this application, the illegal operation of User space can either be recorded, and can be to the illegal operation of kernel state
It is recorded, can more comprehensively record the attack operation track of attacker, thus in follow-up process, it can basis
APT attack operations track determines attack source, and takes corresponding defensive measure to APT attacks, promotes the safety of data.
Fig. 6 shows another possible structure diagram of device involved in above-described embodiment.The device 60 wraps
It includes:Processing unit 602 and communication unit 603.Processing unit 602 to the action of device for carrying out control management, for example, performing
The step of above-mentioned acquisition module 503, judgment module 504 and logging modle 505 perform and/or described herein for performing
Other processes of technology.Communication unit 603 is used to support the communication of device 60 and other network entities, for example, performing above-mentioned connect
The step of receiving module 501, the execution of sending module 502.Device 60 can also include storage unit 601 and bus 604, storage unit
601 are used for the program code and data of storage device 60.
Wherein, above-mentioned processing unit 602 can be the processor or controller in device 60, and the processor or controller can
To realize or perform with reference to the described various illustrative logic blocks of present disclosure, module and circuit.The processing
Device or controller can be central processing units, general processor, digital signal processor (Digital Signal
Processing, DSP), application-specific integrated circuit, field programmable gate array or other programmable logic device, transistor are patrolled
Collect device, hardware component or its arbitrary combination.It can realize or perform described various with reference to present disclosure
Illustrative logic block, module and circuit.Processor can also be the combination for realizing computing function, such as include one or more
Combination of a micro processor combination, DSP and microprocessor etc..
Communication unit 603 can be transceiver, transmission circuit or communication interface in device 60 etc..
Storage unit 601 can be memory in device 60 etc., which can include volatile memory, such as
Random access memory;The memory can also include nonvolatile memory, such as read-only memory, flash memory, firmly
Disk or solid state disk;The memory can also include the combination of the memory of mentioned kind.
Bus 604 can be expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..Bus 604 can be divided into address bus, data/address bus, controlling bus etc..For ease of table
Show, only represented in Fig. 6 with a thick line, it is not intended that an only bus or a type of bus.
Through the above description of the embodiments, it is apparent to those skilled in the art that, for description
It is convenienct and succinct, it, can as needed will be upper only with the division progress of above-mentioned each function module for example, in practical application
It states function distribution to be completed by different function modules, i.e., the internal structure of device is divided into different function modules, to complete
All or part of function described above.The specific work process of the system, apparatus, and unit of foregoing description, before can referring to
The corresponding process in embodiment of the method is stated, details are not described herein.
The embodiment of the present application also provides a kind of computer readable storage medium, and finger is stored in computer readable storage medium
It enables, when above device performs the instruction, device performs in the method flow shown in device execution above method embodiment
Each step.
Wherein, computer readable storage medium, such as electricity, magnetic, optical, electromagnetic, infrared ray can be but not limited to or partly led
System, device or the device of body or arbitrary above combination.The more specific example of computer readable storage medium is (non-poor
The list of act) include:Electrical connection, portable computer diskette with one or more conducting wires, hard disk, random access memory
(Random Access Memory, RAM), read-only memory (Read-Only Memory, ROM), erasable type may be programmed read-only
It is memory (Erasable Programmable Read Only Memory, EPROM), register, hard disk, optical fiber, portable
Compact disc read-only memory (Compact Disc Read-Only Memory, CD-ROM), light storage device, magnetic memory
Part or the computer readable storage medium of above-mentioned any appropriate combination or any other form well known in the art.
A kind of illustrative storage medium is coupled to processor, so as to enable a processor to from the read information, and can be to
Information is written in the storage medium.Certainly, storage medium can also be the component part of processor.Pocessor and storage media can be with
In application-specific IC (Application Specific Integrated Circuit, ASIC).In the application
In embodiment, computer readable storage medium can be any tangible medium for including or storing program, which can be referred to
Enable the either device use or in connection of execution system, device.
The specific embodiment of the above, only the application, but the protection domain of the application is not limited thereto, it is any
The change or replacement in technical scope disclosed in the application, should all cover within the protection domain of the application.Therefore, this Shen
Protection domain please should be subject to the protection scope in claims.
Claims (10)
- A kind of 1. method for recording advanced duration and threatening APT attack operations, which is characterized in that including:When process initiation, obtain and include and the APT with the relevant APT track datas of the process, the APT track datas Attack relevant User space data and kernel state data;Record the APT track datas.
- 2. according to the method described in claim 1, it is characterized in that, obtain with the relevant APT track datas of the process it Afterwards, the method further includes:Whether the APT track datas for judging to obtain are preset kind data, and the preset kind data include following any Item is multinomial:The relevant data of file operation, the relevant data of registration table, transmission control protocol TCP connect relevant data and Domain name system DNS inquires relevant data;If so, record the APT track datas.
- 3. method according to claim 1 or 2, which is characterized in that it is described to record the APT track datas, including:The APT track datas are converted into the data of event tree format;The APT track datas of record event tree format.
- 4. according to the method described in claim 1, it is characterized in that, it is described record the APT track datas after, the side Method further includes:Obtain the condition code of the APT track datas;If described document information includes default condition code, alarm information is sent to server-side, the alarm information carries described APT track datas.
- 5. according to the method described in claim 1, it is characterized in that, after the APT track datas are recorded, the method is also Including:The inquiry instruction of the server-side is received, the inquiry instruction carries the attribute information of the APT attacks;If it is determined that in the presence of with the relevant APT track datas of the attribute information, then sent to the server-side described with the category The property relevant APT track datas of information, so that the server-side is according to true with the relevant APT track datas of the attribute information Surely the equipment for initiating the APT attacks.
- 6. a kind of device for recording APT attack operations, which is characterized in that including:Acquisition module, for when process initiation, obtaining and the relevant APT track datas of the process, the APT track datas Including attacking relevant User space data and kernel state data with the APT;Logging modle, for recording the APT track datas.
- 7. device according to claim 6, which is characterized in that described device further includes judgment module;The judgment module, whether the APT track datas for being additionally operable to judge to obtain are preset kind data, the default class Type data include any one of following or multinomial:The relevant data of file operation, the relevant data of registration table, TCP connection are relevant Data and the relevant data of DNS query;The logging modle is additionally operable to if it is determined that the APT track datas obtained are preset kind data, then described in record APT track datas.
- 8. the device described according to claim 6 or 7, which is characterized in that the logging modle, specifically for by the APT rails Mark data are converted into the data of event tree format;The APT track datas of record event tree format.
- 9. device according to claim 6, which is characterized in that described device further includes sending module;The acquisition module is additionally operable to obtain the condition code of the APT track datas;If including default condition code for described document information, alarm information, the announcement are sent to server-side for the sending module Alert message carries the APT track datas.
- 10. device according to claim 6, which is characterized in that described device further includes receiving module;The receiving module, for receiving the inquiry instruction of the server-side, the inquiry instruction carries the category of the APT attacks Property information;The sending module, be additionally operable to if it is determined that in the presence of with the relevant APT track datas of the attribute information, then to the service End send it is described with the relevant APT track datas of the attribute information so that the server-side according to the attribute information Relevant APT track datas determine the equipment for initiating the APT attacks.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711485306.0A CN108200053B (en) | 2017-12-30 | 2017-12-30 | Method and device for recording APT attack operation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711485306.0A CN108200053B (en) | 2017-12-30 | 2017-12-30 | Method and device for recording APT attack operation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108200053A true CN108200053A (en) | 2018-06-22 |
CN108200053B CN108200053B (en) | 2021-05-14 |
Family
ID=62586777
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711485306.0A Active CN108200053B (en) | 2017-12-30 | 2017-12-30 | Method and device for recording APT attack operation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108200053B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111181918A (en) * | 2019-11-29 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | TTP-based high-risk asset discovery and network attack tracing method |
CN111294351A (en) * | 2020-01-26 | 2020-06-16 | 重庆邮电大学 | Security identification method for network attack |
CN112307469A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Kernel intrusion prevention method and device, computing equipment and computer storage medium |
CN112307470A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Method and device for detecting intrusion kernel, computing equipment and computer storage medium |
CN112398786A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Penetration attack identification method, device, system, storage medium and electronic device |
CN112699369A (en) * | 2021-01-12 | 2021-04-23 | 安芯网盾(北京)科技有限公司 | Method and device for detecting abnormal login through stack backtracking |
CN113395287A (en) * | 2021-06-22 | 2021-09-14 | 杭州默安科技有限公司 | Method and system for recording network attack IP and command execution echo |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102594625A (en) * | 2012-03-07 | 2012-07-18 | 北京启明星辰信息技术股份有限公司 | White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform |
CN103716289A (en) * | 2012-10-08 | 2014-04-09 | 江苏中科慧创信息安全技术有限公司 | Attack control method for protecting service system |
CN104283889A (en) * | 2014-10-20 | 2015-01-14 | 国网重庆市电力公司电力科学研究院 | Electric power system interior APT attack detection and pre-warning system based on network architecture |
CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
US20160117498A1 (en) * | 2014-10-25 | 2016-04-28 | Intel Corporation | Computing platform security methods and apparatus |
CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
-
2017
- 2017-12-30 CN CN201711485306.0A patent/CN108200053B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102594625A (en) * | 2012-03-07 | 2012-07-18 | 北京启明星辰信息技术股份有限公司 | White data filter method and system in APT (Advanced Persistent Threat) intelligent detection and analysis platform |
CN103716289A (en) * | 2012-10-08 | 2014-04-09 | 江苏中科慧创信息安全技术有限公司 | Attack control method for protecting service system |
CN104283889A (en) * | 2014-10-20 | 2015-01-14 | 国网重庆市电力公司电力科学研究院 | Electric power system interior APT attack detection and pre-warning system based on network architecture |
US20160117498A1 (en) * | 2014-10-25 | 2016-04-28 | Intel Corporation | Computing platform security methods and apparatus |
CN104598824A (en) * | 2015-01-28 | 2015-05-06 | 国家计算机网络与信息安全管理中心 | Method and device for detecting malicious programs |
CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
Non-Patent Citations (1)
Title |
---|
闫张浩: "提高防御APT攻击性能的入侵检测***的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112307469A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Kernel intrusion prevention method and device, computing equipment and computer storage medium |
CN112307470A (en) * | 2019-07-29 | 2021-02-02 | 北京奇虎科技有限公司 | Method and device for detecting intrusion kernel, computing equipment and computer storage medium |
CN112398786A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Penetration attack identification method, device, system, storage medium and electronic device |
CN112398786B (en) * | 2019-08-15 | 2023-08-15 | 奇安信安全技术(珠海)有限公司 | Method and device for identifying penetration attack, system, storage medium and electronic device |
CN111181918A (en) * | 2019-11-29 | 2020-05-19 | 杭州安恒信息技术股份有限公司 | TTP-based high-risk asset discovery and network attack tracing method |
CN111181918B (en) * | 2019-11-29 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | TTP-based high-risk asset discovery and network attack tracing method |
CN111294351A (en) * | 2020-01-26 | 2020-06-16 | 重庆邮电大学 | Security identification method for network attack |
CN112699369A (en) * | 2021-01-12 | 2021-04-23 | 安芯网盾(北京)科技有限公司 | Method and device for detecting abnormal login through stack backtracking |
CN113395287A (en) * | 2021-06-22 | 2021-09-14 | 杭州默安科技有限公司 | Method and system for recording network attack IP and command execution echo |
CN113395287B (en) * | 2021-06-22 | 2022-06-28 | 杭州默安科技有限公司 | Method and system for recording network attack IP and command execution echo |
Also Published As
Publication number | Publication date |
---|---|
CN108200053B (en) | 2021-05-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108200053A (en) | Record the method and device of APT attack operations | |
EP3113064B1 (en) | System and method for determining modified web pages | |
CN107211016B (en) | Session security partitioning and application profiler | |
RU2606564C1 (en) | System and method of blocking script execution | |
CN104954350B (en) | Account information protection method and system | |
CN104967628B (en) | A kind of decoy method of protection web applications safety | |
US10372907B2 (en) | System and method of detecting malicious computer systems | |
CN111881460B (en) | Vulnerability exploitation detection method, system, equipment and computer storage medium | |
CN113496033A (en) | Access behavior recognition method and device and storage medium | |
CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
CN111800405A (en) | Detection method, detection device and storage medium | |
CN107046516B (en) | Wind control method and device for identifying mobile terminal identity | |
KR102180098B1 (en) | A malware detecting system performing monitoring of malware and controlling a device of user | |
CN113190838A (en) | Web attack behavior detection method and system based on expression | |
CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
CN107135199B (en) | Method and device for detecting webpage backdoor | |
CN108600259B (en) | Authentication and binding method of equipment, computer storage medium and server | |
CN104426836A (en) | Invasion detection method and device | |
CN111131166A (en) | User behavior prejudging method and related equipment | |
CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
CN113364766B (en) | APT attack detection method and device | |
CN116049822A (en) | Application program supervision method, system, electronic device and storage medium | |
EP3252645B1 (en) | System and method of detecting malicious computer systems | |
US20130097707A1 (en) | Terminal and method for terminal to determine file distributor | |
CN113342594A (en) | Industrial control host and dynamic health degree evaluation method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |