CN117978542B

CN117978542B - Digital stand-by defense system design method and device for advanced persistent threat

Info

Publication number: CN117978542B
Application number: CN202410362098.9A
Authority: CN
Inventors: 李书豪; 吴广君; 云晓春; 宋奇格; 汤子贤
Original assignee: Beijing Zhongguancun Laboratory
Current assignee: Beijing Zhongguancun Laboratory
Priority date: 2024-03-28
Filing date: 2024-03-28
Publication date: 2024-07-09
Anticipated expiration: 2044-03-28
Also published as: CN117978542A

Abstract

The invention discloses a digital stand-by defense system design method and device for advanced persistent threat, and belongs to the technical field of safety monitoring. The method comprises the following steps: performing service simulation and system cloning on a real service system; constructing a data unidirectional transmission path between a real service system and a digital proxy defense system, and performing desensitization processing on sensitive data in the real service system and creating bait data which is interested in advanced continuous threat attack in the data unidirectional transmission path; full-chain simulation is carried out on the process related to the advanced continuous threat attack based on the view angle of an attacker so as to generate a working state that the digital proxy defense system faces the advanced continuous threat attack; the behavior elements in the working state are extracted and processed by code instrumentation and information flow collection in the digital proxy defense system so as to record the attack process of advanced continuous threat attack. The invention provides an effective APT attack capturing and attack behavior long-acting monitoring mechanism under the proxy environment.

Description

Digital stand-by defense system design method and device for advanced persistent threat

Technical Field

The invention belongs to the technical field of safety monitoring, and particularly relates to a digital stand-by defense system design method and device for advanced persistent threat.

Background

With the rapid development of information technology and the increasing complexity of network environments, advanced persistent threat (ADVANCED PERSISTENT THREATS, APT) has become one of the major challenges facing the field of network security. APT attacks are usually initiated by highly specialized attackers, with definite targets, hidden actions, long duration, complex means, and pose a serious threat to the information system in the heavy domain. Conventional security measures, such as firewalls, intrusion detection systems, etc., often have difficulty effectively dealing with such concealed threats. Two types of technologies relevant to the present invention in the field of cyber-space security are honeypot technology and sandbox technology. These two types of technologies are the systems and methods of attack trapping and attack behavior deep analysis which are the main at present.

Honeypots are an attack trapping technology used for simulating a vulnerable terminal system, exposing an attack surface and attracting an attacker to develop attacks. Honeypot technology can be classified into low-interaction, medium-interaction and high-interaction honeypots according to interaction procedures with business systems, and the low-interaction and medium-interaction honeypots are usually ports or combinations of ports for exposing specific services or applications, and lack support of complete operating system-level complex service interfaces. From the aspect of environment simulation, the low-medium interaction honeypots cannot fully simulate all business environments and systems, particularly specific industries or complex systems, and cannot generally provide enough depth and context information, so that the attack behaviors are difficult to be deeply understood and analyzed. This limits their ability to capture and analyze complex APT attacks. The high-interaction honeypot has certain service simulation capability, can provide service system simulation, and part of high-interaction honeypots can provide system-level simulation. However, the APT attack involves multiple attack links, such as C2 communication, DNS resolution, trojan implantation of a network device, and an environmental terminal where multiple samples are combined to run, and currently, various honeypot methods cannot provide a complete simulation scheme. Furthermore, many advanced APT attack samples, once found suspected honey environments, will hide their behavior, even self-destruct, which makes the honey technology limited in APT capture and sample analysis capabilities.

The sandbox technology is an effective dynamic malicious software analysis method, can run suspicious codes in an isolated environment, and monitors the behaviors of system call, network interaction, file operation and the like when a monitoring program is executed. However, conventional sandboxes are typically focused on analyzing a single malicious sample in an isolated area, but have limited sandboxes detection capabilities for those APT samples that can circumvent sandboxes detection. Part of advanced APT samples change their behavior or avoid sandboxed detection even through sleep, environmental detection, etc. While at the same time. Especially when the APT attack is implemented by a plurality of samples and a plurality of stage combinations, it is difficult for the sandbox technique to provide collaboration among a plurality of systems and to interact and collaborate among sandboxes. Therefore, the sandbox technology cannot cope with complex APT attack technique and tactics in the aspect of dynamic analysis, and provides capability for deep analysis of APT samples.

Disclosure of Invention

Aiming at the problems, the invention discloses a digital stand-by defense system design method and device for advanced persistent threat, which analyze and condense different links involved in APT attack in view of an attacker, and clone and simulate real service environment, service system and service data in particular, thereby providing an effective APT attack capturing and stand-by environment attack behavior long-term monitoring mechanism.

In order to achieve the above object, the present invention provides the following.

A digital stand-by defense system design method for advanced persistent threats, the method comprising:

performing service simulation and system cloning on a real service system to obtain a digital proxy defense system;

Constructing a data unidirectional transmission path between a real service system and a digital proxy defense system, and performing desensitization processing on sensitive data in the real service system and creating bait data which is interested in advanced continuous threat attack in the data unidirectional transmission path;

full-chain simulation is carried out on the process related to the advanced continuous threat attack based on the view angle of an attacker so as to generate a working state that the digital proxy defense system faces the advanced continuous threat attack; the process related to the advanced persistent threat attack comprises the process of acquiring desensitized data and decoy data by the advanced persistent threat attack;

and extracting and processing the behavior elements in the working state by carrying out code instrumentation and information flow collection in the digital proxy defense system so as to record the attack process of the advanced continuous threat attack.

Further, the construction of the unidirectional data transmission path between the real service system and the digital proxy defense system includes:

Establishing a simulation isolation area based on a data security and network security protection technology between a real service system and a digital proxy defense system so as to realize unidirectional synchronous access control of files; wherein, the data security and network security protection technique includes: an isolation area firewall and other network access control technologies, an isolation area data security control technology and an isolation area access control technology.

Further, full-chain analog simulation is performed on the process involved in the advanced persistent threat attack based on the view angle of an attacker, including:

Constructing a simulation simulator in a digital proxy defense system, the simulation simulator comprising: the system comprises a network equipment simulation simulator, a DNS service simulation simulator, a C2 and sample weapon simulation simulator and a service terminal simulation simulator, wherein the network equipment simulation simulator is used for simulating a network infrastructure environment of an advanced continuous threat sample attack target, the DNS service simulation simulator is used for reproducing a DNS analysis process and simulating DNS inquiry and response behaviors, the C2 and sample weapon simulation simulator is used for reproducing distribution and control processes of C2 and sample weapons of an attacker, simulating generation, transmission and execution processes of attack loads and interaction behaviors between the sample weapons and the C2, and the service terminal simulation simulator is used for simulating various potential victim terminal equipment and operating system environments, reconstructing system and application program characteristics of the attack target and evaluating influence and permeability of the attack sample on a service system;

acquiring an advanced persistent threat sample;

After harmless modification of the advanced continuous threat samples, the harmless advanced continuous threat samples are injected into different business terminal simulation simulators in batches according to the organization and the type; after the harmless transformation of the advanced continuous threat samples, the harmless advanced continuous threat samples are injected into different business terminal simulation simulators in batches according to the organization and the type, and the method comprises the following steps:

Isolating and pre-executing the collected advanced persistent threat sample by using a sandbox environment, and identifying and extracting malicious functional parts by analyzing the behavior of the advanced persistent threat sample;

Modifying and adjusting malicious functions in the advanced persistent threat sample by modifying malicious codes or dynamic execution paths in the malicious function part, so as to ensure that the harmless advanced persistent threat sample cannot cause actual harm in the simulation environment;

According to the original attack targets and types of harmless advanced persistent threat samples, distributing the attack targets and types to corresponding service terminal simulation simulators in batches and purposefully so as to simulate a real attack scene;

reversely analyzing harmless advanced continuous threat samples to obtain sample core parameters; wherein the sample core parameters include: sample initialization starting parameters, sample communication behavior parameters, sample injection behavior parameters and key information record checking behavior parameters;

Performing resource scheduling and configuration on a network equipment simulation simulator, a DNS service simulation simulator, a C2 and sample weapon simulation simulator and a service terminal simulation simulator based on sample core parameters; the resource scheduling and configuration of the network equipment simulation simulator, the DNS service simulation simulator, the C2, the sample weapon simulation simulator and the service terminal simulation simulator based on the sample core parameters comprises the following steps:

based on the sample initialization starting parameters, the sample communication behavior parameters and the sample injection behavior parameters, the network environment and configuration of the simulation simulator are adjusted, and the communication, injection and execution behaviors of the sample are accurately reproduced;

Based on the sample communication behavior parameters, configuring corresponding DNS analysis rules and response behaviors in a DNS service simulation simulator, and simulating DNS query and analysis processes of the sample;

based on the sample communication behavior parameters, C2 and sample weapon simulator configuration is adjusted, communication characteristics are controlled according to a command of a sample, and response behaviors of a simulation C2 server and command issuing strategies are set;

Recording inspection behavior parameters based on sample initialization starting parameters, sample injection behavior parameters and key information, and configuring necessary operating system and application program environments and corresponding defense strategies for a service terminal simulation simulator so as to observe behavior differences of samples under different protection backgrounds;

Simulating and analyzing a DNS request initiated by a harmless advanced continuous threat sample through a DNS service simulation simulator; wherein the simulating, by the DNS service simulator, the DNS request initiated by the resolving the harmless advanced persistent threat sample includes:

configuring a DNS service simulation simulator to identify and respond to specific DNS queries from harmless advanced persistent threat samples, simulating a real domain name resolution process;

recording and analyzing DNS query behaviors of harmless advanced persistent threat samples, wherein the DNS query behaviors are used for researching a domain name generation algorithm and a C2 domain name utilization strategy of the samples; wherein the DNS query behavior includes: inquiring domain name, inquiring frequency and inquiring time;

Positioning the resolved IP address to a C2 and sample weapon simulation simulator, and simulating the behavior of an attacker through the realized penetration, sample issuing, C & C communication and information feedback; the positioning the resolved IP address to the C2 and sample weapon simulator, through penetration, sample issuing, C & C communication and information feedback, the full chain simulates the behavior of an attacker, including:

Setting a C2 and sample weapon simulator to respond to the simulated and analyzed IP address and establish communication connection with the harmless advanced continuous threat sample;

Simulating the instruction issuing and data receiving processes of the C2 server, and simulating the operations of remote control and data stealing of the victim by an attacker;

and analyzing the data recorded by the C2 and the sample weapon simulator to obtain the behavior mode, the attack strategy and the data stealing target of the attacker.

Further, the method for extracting and processing the behavior elements in the working state by code instrumentation and information flow collection in the digital proxy defense system to record the attack process of the advanced persistent threat attack comprises the following steps:

instrumentation of instrumentation code during execution of an advanced persistent threat attack, the instrumentation code for monitoring system abnormal behavior, the system abnormal behavior comprising: monitoring system call, collecting information, modifying program behavior, modifying registers and memory, wherein the instrumentation hierarchy of the instrumentation code comprises: instruction level, module level and system level, the instrumentation point of the instrumentation code comprises: memory read and write, system call and instruction execution;

collecting kernel-level control and information flow in a business simulation system based on the instrumentation code;

according to the kernel-level control and information flow, extracting behavior elements involved in the running period of the advanced persistent threat attack to form logs and data files;

And obtaining an attack process of the advanced persistent threat attack according to the log and the data file.

Further, the behavioral elements include: file and registry operations, process behavior, network communication behavior, API and system call behavior, and memory access behavior;

The extracting the behavior elements related to the running period of the advanced persistent threat attack according to the kernel-level control and information flow comprises the following steps:

The instrumentation code is configured to extract, according to corresponding kernel-level control and information flow, file and registry operations involved in the execution period of the advanced persistent threat attack when the file is opened, read, written and closed during the execution period of the advanced persistent threat attack, where the file and registry operations include: file operation details and registry operation information;

and/or the number of the groups of groups,

The instrumentation code is arranged at the process creation and ending of the advanced persistent threat attack during execution, and extracts the process behaviors related to the advanced persistent threat attack during operation according to the corresponding kernel-level control and information flow, wherein the process behaviors comprise: process list, process state, process memory map and process tree information;

and/or the number of the groups of groups,

The instrumentation code is arranged in the execution period of the advanced persistent threat attack, when the network request is initiated and the response is received, network communication behaviors involved in the execution period of the advanced persistent threat attack are extracted according to corresponding kernel-level control and information flow, and the network communication behaviors comprise: the network traffic packet and the protocol and port information associated with the network traffic packet;

and/or the number of the groups of groups,

The instrumentation code is configured to extract, when a specific system call occurs during execution of the advanced persistent threat attack, an API and a system call behavior related during the execution of the advanced persistent threat attack according to a corresponding kernel-level control and information flow, where the API and the system call behavior include: operating system level system call and corresponding system call information, system call sequences, call frequencies, parameters of specific calls and result reports;

and/or the number of the groups of groups,

When the instrumentation point of the instrumentation code is memory reading and writing, extracting memory access behaviors related to the operation period of the advanced persistent threat attack according to corresponding kernel-level control and information flow, wherein the memory access behaviors comprise: memory access, memory allocation and post-release usage for a particular memory region.

Further, after extracting the behavioral elements involved in the running period of the advanced persistent threat attack according to the kernel-level control and information flow to form the log and the data file, the method further comprises:

Storing, indexing and analyzing the logs and the data files to identify advanced persistent threat attacks; the storing, indexing and parsing the log and the data file to identify the advanced persistent threat attack includes:

obtaining key information in a log and a data file, wherein the key information comprises the following components: a timeline of advanced persistent threat attack execution and corresponding system calls, file operations, critical network activity behavior, ioC information;

generating a Yara detection rule file based on key information corresponding to all advanced persistent threat attacks;

and identifying the advanced persistent threat attack according to the Yara detection rule file.

Acquiring a behavior mode and attribution process of the advanced persistent threat attack based on the log and the data file; the behavior mode and attribution process for acquiring the advanced persistent threat attack based on the log and the data file comprises the following steps:

Carrying out data statistics and association analysis on different types of behaviors in the log and the data file so as to model an overall behavior mode of the advanced persistent threat;

and constructing a multidimensional mapping rule based on the overall behavior mode of the advanced persistent threat, and mapping the behavior of the advanced persistent threat attack to a corresponding ATT & CK attack stage and technical tactics to form an attribution process of the specific advanced persistent threat.

Further, after the instrumentation code collects the kernel-level control and information flow in the business simulation system, the instrumentation code further comprises:

comprehensively judging the current attack execution stage of the advanced persistent threat attack based on the running time of the advanced persistent threat attack, system call, file operation, monitoring information of network behavior and activity logs;

For each attack execution stage, creating a snapshot for the client at a specific execution point to keep a snapshot of the client system-wide state of the specific execution point;

replay records a snapshot of the client-wide system state of the particular enforcement point to understand in depth the behavioral patterns of advanced persistent threats.

A digital stand-by defense system design apparatus for advanced persistent threats, the apparatus comprising:

The proxy system generation module is used for carrying out service simulation and system cloning on the real service system to obtain a digital proxy defense system;

The data path construction module is used for constructing a data unidirectional transmission path between the real service system and the digital proxy defense system, desensitizing sensitive data in the real service system in the data unidirectional transmission path and creating bait data which is interested in advanced continuous threat attack;

The full-chain simulation module is used for carrying out full-chain simulation on the process related to the advanced continuous threat attack based on the view angle of an attacker so as to generate the working state of the digital proxy defense system facing the advanced continuous threat attack; the process related to the advanced persistent threat attack comprises the process of acquiring desensitized data and decoy data by the advanced persistent threat attack;

And the attack process recording module is used for extracting and processing the behavior elements in the working state by carrying out code instrumentation and information flow acquisition in the digital proxy defense system so as to record the attack process of the advanced continuous threat attack.

Compared with the prior art, the invention has at least the following technical advantages:

(1) The invention is characterized in that based on the view angle of an attacker, the whole chain simulation is carried out on the process related to attack so as to reproduce the working state of a real service system. The digital proxy defense system is based on a KVM virtual platform and performs unified management on different simulation operating systems such as Linux, windows, macOS. Each simulation operation system is provided with software required by real service, and each simulation operation system not only truly presents the state of the service terminal system, but also can be mutually related to simulate the normal service running state. The digital proxy defense system not only establishes a high-simulation and high-interaction proxy system for a network and an information system in a key industry, delays attacks suffered by a real service system in time and disperses the harm of the attackers in space, but also provides a data acquisition path for acquiring fresh samples and full-chain attack logs.

(2) The full-attack chain simulation technology based on the virtualization technology under the view angle of an attacker provided by the invention comprises three parts of full-chain environment simulation environment design, simulated resource scheduling and configuration and sample culture pipeline management. The full-chain environment simulation environment needs to simulate the scene of APT attack, and comprises a network intermediate node, a DNS server, a C2 server facing an attacker, a Trojan horse download server and the like. The KVM virtualization platform simulates network nodes for virtual machines and entity equipment related to a plurality of links, and realizes full-flow reproduction. The resource scheduling and configuration module performs scheduling configuration for the chain simulation environment, and automatically adjusts the states of all nodes according to the sample execution configuration information. The sample culture pipeline management module is used for managing culture processes including initialization, marking, distribution, culture process management and result recording.

(3) The invention provides a data desensitization and synchronous control technology between a service system and an avatar system, which comprises a data desensitization and imitation module, a service simulation isolation area and a unidirectional file synchronous control module. The data desensitization module is used for carrying out desensitization processing on the high-sensitivity trapping document to generate a desensitized document; while creating decoy data for the attacker's interest, including but not limited to (taint files, program code, critical records, etc.). And finally, a file unidirectional synchronization control module is designed for realizing unidirectional synchronization and access control between the real service system and the proxy system.

(4) The out-of-band non-sensing monitoring technology which is independent of the information system and is oriented to high-level attack, provided by the invention, can collect attack logs outside a simulator and monitor attack behaviors. The out-of-band noninductive monitoring comprises an operating system instrumentation module, a key behavior capturing module, a monitoring log post-processing module and a snapshot management module. The operating system instrumentation module is used for code instrumentation and information flow collection in the virtual environment. The behavior capture module is used for extracting and processing different behavior elements during the operation of the sample, such as file operation, process behavior, network behavior and the like. The log post-processing module is used for storing, indexing and analyzing the captured log and generating a key information report and a Yara detection rule. The snapshot management module creates a snapshot for the client at the key execution point, records the system state, supports time point skip, and analyzes the specific event.

In conclusion, the success rate of sample activation can be greatly improved by constructing the simulation environment and modifying the sample. In order to realize sample activation and cultivation in batches and chains, the operation strategy of the samples needs to be planned first. And extracting a stage relevance sample and a mutual exclusivity sample according to the public report and the transformation condition. The phase association samples are different attack samples in the same attack chain, and the different attack samples need to exist in the same terminal simultaneously or sequentially in the activation process, and the samples need to be planned into a task. The mutually exclusive samples indicate that two samples cannot coexist in the same terminal, otherwise, a certain sample is inactivated or a system is crashed. For sample sets without relevance or mutual exclusion, the sample sets can be cultivated in the same terminal together according to the sandbox performance, and the out-of-band system is utilized to monitor the running state and collect the related information so as to realize the attack behavior monitoring. The adaptation list is submitted to a network intermediate node, an attack issuing platform and a DNS server, and provides basis for the configuration of the modules. If the sample cannot be adapted and modified, the sample will be marked and screened out and not enter the clone business system.

Drawings

Figure 1 is a schematic diagram of the operation of the digital proxy defense system.

FIG. 2 APT is a schematic diagram of a sample reverse analysis.

Figure 3 is a schematic diagram of a full chain simulation technique of the digital proxy defense system.

FIG. 4 is a schematic diagram of a data desensitization and synchronization control mechanism.

Fig. 5 is a schematic diagram of the out-of-band non-sensing monitoring module and the working principle.

Detailed Description

The digital proxy defense system design method provided by the invention is characterized in that the APT attack characteristics are deeply analyzed, and the APT attack chain is completely simulated from the perspective of an APT attacker, so that a proxy system with high simulation and high interaction matched with a real service system and network facilities is established. The invention provides a real interactive and full-chain simulation avatar system through cloning the simulation service system and the network facilities, and can more effectively trap and analyze the real APT attack behaviors. According to the invention, through the functions of harmless transformation and implantation of the APT sample, automatic desensitization and synchronization of the service data and the like, the service data can be more truly simulated, the attack chain can be completed, and an attacker can be induced to develop attacks in the substitution system. In addition, the invention designs an out-of-band noninductive monitoring mechanism, compared with the traditional method of installing security monitoring software in a service system, the out-of-band noninductive monitoring is difficult to be perceived and avoided by an APT attacker, the attack behavior can be comprehensively recorded, the attack trace and the attack clue can be effectively extracted, and a new system design mechanism is provided for developing high-level APT defense.

The invention provides a digital substitution method design facing advanced continuous threat, which is used for establishing a high-simulation and high-interaction substitution system for a network and an information system in a key industry, capturing a real malicious sample, and performing transformation and adaptation to enable the real malicious sample to run in a simulation environment. And by combining the out-of-band monitoring capability, data resources such as logs and samples are provided for advanced continuous threat detection and defense. The working principle of the digital avatar is shown in figure 1.

In order to simulate a real service system to the greatest extent in a virtualization scene, the invention carries out simulation cloning on a real service system platform through a KVM virtual machine. By knowing the internal flow of the service system, the system internal state, the process, the memory, the file and the like are comprehensively mastered, and the working state of the system is recovered as much as possible under an out-of-band scene based on the KVM virtual machine architecture. The KVM virtual machine performs unified management through the virtual simulation management platform, can perform clone simulation on different service systems including a DNS server, a file server, a mail server and the like, and can simultaneously create a proxy system matched with different service terminals for user terminals and the like, including but not limited to Linux, windows, macOS operating systems, and performs virtual machine customization configuration and snapshot management through the KVM framework. In order to realize the operation requirement of the service, some attacker concerned software such as OA Office system, office, VPN and the like is installed in the service terminal substitution system, and a script is created to simulate the possible operation state of the software in normal service. The terminal service simulation simulator can simulate the environment required by the threat attacker to the greatest extent, so that the success rate of sample execution, the functional coverage rate, the behavior triggering rate and other indexes are improved, and an API call interface is provided for out-of-band log acquisition and monitoring.

The APT attack is a high-hidden network attack initiated by a high-level organization, has the characteristics of modularization and multi-step combination, and comprises a kill-chain model (comprising 7 stages) and an ATT & CK model (comprising 14 stages) for the APT attack at present, but the models are not suitable for simulating simulation environments. The invention provides an APT-oriented full-attack chain simulation technology, which designs 4 types of simulation systems with cooperative functions and cooperates with work among simulation devices to simulate core steps involved in an APT attack chain and an attack-related information system. Specifically, the device comprises 3 modules: the full attack chain simulates the design of a simulation environment, the depth reversal and implantation of APT samples and the scheduling and configuration of simulation resources, and the flow is shown in figure 2.

1) Full-attack chain simulation environment design

The APT attack comprises multiple attack phases and multiple traffic scenarios, spanning multiple terminals and systems. For an APT attack network link, an attacker attacks network boundary equipment (such as routing equipment, a gateway and the like) to reach an intranet terminal in order to invade a specific target, meanwhile, the intranet is likely to transversely move, and finally, a sample is executed on the target terminal; from the perspective of sample delivery, an attacker can deliver samples to a victim terminal through a springboard node and an agent node, and after the samples are successfully executed, the DNS domain name resolution is requested to obtain an IP address appointed by the attacker; from the perspective of network resources, the C2 server and the attack weapon platform server which establish a control channel with the victim terminal are involved.

Based on a complex APT attack flow, the invention generalizes an attack link, configures corresponding environments and network facilities according to different APT attack organization characteristics, and establishes 4 kinds of simulation: network equipment simulation simulator, DNS service simulation simulator, C2 and sample weapon simulation simulator, and service terminal simulation simulator. Through direct network communication and collaborative scheduling of four simulators, the full-flow reproduction of advanced threats and attacks such as APT can be realized. The specific functions of the class 4 simulation simulator are as follows:

Network equipment simulation simulator: simulating a network infrastructure environment of an advanced persistent threat sample attack target, and constructing a virtual network topology in detail, wherein the virtual network topology comprises the behaviors and interactions of network equipment such as routers, switches, firewalls and the like;

DNS service emulation simulator: and accurately reproducing the DNS analysis process, analyzing the DNS request initiated by the APT sample, simulating various DNS query and response behaviors, and positioning the analyzed IP address to a C2 and sample weapon simulator. The method is used for researching a communication mechanism and an countermeasure strategy for an attacker to command and control (C2) server access by using DNS;

C2 and sample weapon simulator: the method is used for simulating the behavior of an attacker, reproducing the distribution and control processes of C2 and a sample weapon of the attacker, simulating the generation, transmission and execution processes of an attack load, and the communication interaction and information feedback behaviors between the sample weapon and C2;

Service terminal simulation simulator: simulating various potential victim terminal equipment and operating system environments, reconstructing system and application program characteristics of an attack target, and evaluating influence and permeability of an attack sample on a service system;

2) APT sample depth reversal and sample implantation

Due to the modularized working characteristic of the APT attack, in order to induce an attacker to implement the attack as soon as possible and acquire new APT attack clues to improve the defending capability, the invention further implants the modified harmless sample on the substitution system, activates the substitution system on the simulator, supplements the attack chain to the greatest extent from the view of the attacker, and induces the attacker to develop real attack on the substitution system. The invention relies on four types of proxy simulation simulators to obtain sample core parameters by reversing the depth of an APT sample, including but not limited to: sample initialization start-up parameters, sample communication behavior, sample injection behavior, critical information record checking behavior, etc. The method comprises the following specific steps:

Sample initialization start-up parameters: analyzing a starting mechanism of a sample, including a persistence method such as registry modification, planning task creation and the like;

Sample communication behavior: the communication mode of the research sample and an external server or a command control center comprises a protocol type, an encryption method and a data format;

Sample injection behavior: analyzing how a sample is injected into a normal process to execute malicious functions, including techniques of direct writing into a memory, process hijacking and the like;

Key information record checking behavior: identifying how the sample records and transmits sensitive information, such as keyboard records, screen shots, and document theft;

the samples are injected into different business terminal simulation simulators in batches according to the organization and the type by carrying out deep reverse analysis and harmless transformation on the samples, so that the attack chain is completed. Specifically, firstly, a sandbox environment is used for isolating and pre-executing collected samples, and the behavior of the collected samples is analyzed, and malicious functional parts are identified and extracted by combining static analysis information of the samples; then modifying and adjusting malicious functions in the sample by modifying malicious codes or dynamic execution paths, so as to ensure that the sample cannot cause actual harm in a simulation environment; finally, samples with different organizations and file types are distributed to corresponding service terminal simulation simulators in batches and purposefully so as to simulate a real attack scene.

When the sample is implanted, the running process and the system state of the sample are monitored at the same time, the conditions such as system breakdown and sample inactivation are avoided, and finally, the running result and the output condition are recorded to form a complete monitoring log, and the specific flow is shown in fig. 3. By harmless transformation of the APT sample and implantation on the substitution system, the complete attack chain is maximized, and an attacker is induced to attack on the substitution system in real time, so that a foundation is provided for finding new APT attack clues and improving the APT defense capability.

3) Emulation resource scheduling and configuration

In order to realize unified management of the full-attack chain simulator and the network facilities, the modified samples are injected in batches. The configuration information required by sample execution can be obtained by reversing the sample depth, the sample operation parameters of the simulation simulator are configured by the simulation resource scheduling and configuration module, the sample is implanted and activated after the configuration is successful, and the sample is operated on the simulation simulator system to complement the attack chain. The method comprises the following specific steps:

according to the reverse analysis result, the network environment and configuration of the simulation simulator are adjusted, so that the communication, injection and execution behaviors of the sample can be accurately reproduced;

configuring corresponding DNS analysis rules and response behaviors in a DNS service simulation simulator, and simulating DNS query and analysis processes of samples;

In the C2 and sample weapon simulation simulator, according to the command control communication characteristics of the sample, setting the response behavior of the simulation C2 server and issuing command strategies;

And configuring necessary operating system and application program environments and corresponding defense strategies for the service terminal simulation simulator so as to observe the behavior difference of the sample under different protection backgrounds.

The core objective of the APT attack is to obtain sensitive service data of the terminal system. The invention provides an automatic data desensitization and synchronization technology between a service system and an avatar system. Aiming at sensitive documents existing in a real service system, through sensitive data desensitization and automatic simulation file generation, a data unidirectional path between the service system and a proxy is formed based on network setting between the designed proxy system and the real service system, and a strong access control strategy is designed to ensure that data unidirectional flow between the real service system and the proxy system is synchronous with automatic desensitization, and the flow is shown in figure 4.

1) Automatic generation of desensitized and simulated files of sensitive data

The avatar data is composed of a desensitized file and a decoy file. In order to ensure that the avatar data can be as close to the intention of an attacker as possible, the invention automatically desensitizes and imitates the data files in the avatar system in combination with industry characteristics, including but not limited to text rule matching and business sensitive word replacement, replaces, deletes and confuses the hit files and the contents thereof, and generates desensitized files. On the other hand, based on TextGAN network, by word vector processing and combining the attention of attacker, a batch of information such as simulation file, information record and code which are highly similar to the real data are forged and generated, and automatically delivered to the substitution system.

2) File unidirectional synchronous control based on simulation isolation area

The setting of the isolation area aims at providing protection of different security levels for different resources, and realizes the separation of the internal network and the external network. The invention designs a simulation isolation area supporting unidirectional synchronization, which protects real sensitive data in a service system from being stolen by attacks in a proxy system and supports data desensitization and automatic synchronization in the service system and the proxy system. The service system can access the isolation area and generate desensitization data and bait data, the isolation area data can only be one-way synchronized to the avatar system, and the isolation area adopts data security and network security protection technologies, including but not limited to: network access control technologies such as an isolation zone firewall, isolation zone data security control technologies, isolation zone access control technologies and the like. When an attacker carries out attack on the proxy system, the attacker cannot access the real service system and steal the real data because the attacker cannot cross the isolated network and the data security access control.

The invention realizes the unidirectional synchronous access control of the file by the simulation isolation area designed between the real service system and the proxy system. On the data transmission paths of the service system and the proxy system, access control rules can be flexibly configured, only data of the service system is allowed to reach the proxy system after desensitization, but data of the proxy system is not allowed to reach the service system, and the attack initiated by the proxy system is ensured not to reach the service system through the network path. Meanwhile, the data desensitization and imitation are realized in the isolation area, and the disk file is cleared in time, so that the current network security and data security technology can be fully utilized, and meanwhile, a flexible and reliable unidirectional data transmission channel can be established on the premise of not affecting a service system.

And (5) acquiring all attack behavior logs of the attacker and hiding the monitoring environment. The invention designs an out-of-band non-sensing monitoring technology independent of an information system based on a proxy system. In the current security monitoring means, terminal monitoring software such as EDR, agent and the like is installed on a service system, so that the security monitoring means is easily perceived by an attacker to stop the attack. The out-of-band information acquisition and log restoration mechanism based on the kernel dynamic instrumentation technology of the operating system is high in concealment and not easy to be perceived by an attacker. As shown in fig. 5, the out-band information collecting module includes four key functional modules of an operating system kernel-level instrumentation engine, a behavior capturing module, a log post-processing module and a snapshot management module, and can perform continuous key behavior collection and association analysis on malicious codes delivered by advanced persistent threats, and specific implementation of specific functional modules is as follows:

1) Kernel-level pile inserting module based on operating system

The present invention contemplates a instrumentation engine that can insert instruction-level user-defined code during program binary execution in a virtual environment. Instrumentation code monitors system calls, collects information, modifies program behavior, modifies registers and memory, etc., for behavioral elements that capture advanced persistent threats. The present invention supports multiple instrumentation points including, but not limited to, memory reads and writes, system calls, instruction execution, etc., while also being capable of supporting multiple instrumentation levels including instruction level instrumentation, module level instrumentation, and system level instrumentation.

By means of the kernel instrumentation technology of the operation system, kernel-level control and information flow are collected only inside the business simulation system, and operation behaviors such as processes, files and the like and access logs are reconstructed outside the simulation system, and the method comprises the following specific steps:

Operating system instrumentation: the technique first implements instrumentation of an operating system by embedding instrumentation code within the operating system. These instrumentation points may be located near key functional points such as system calls, file operations, process management, and network communications.

And (3) information flow acquisition: once instrumentation code is embedded, the operating system begins capturing and recording sample access and control information streams. This includes file reads and writes, system calls, network communications, and process creation.

Information flow derivation: the collected information stream is exported outside the host for further analysis and recovery. This may be done by way of a network connection or file transfer, etc.

And (5) information flow reduction: the exported information stream is restored outside the host to restore the operational behavior within the client. The restoration can cover detailed information such as process creation, file reading and writing, system call parameters and the like.

Access log reconstruction: finally, the restored information stream may be used to reconstruct access logs within the client, including access and control of files, processes, and system calls. This access log may be used to analyze, audit, and monitor the behavior of clients.

2) Behavior capturing module

Based on an operating system instrumentation engine and an information flow acquisition and restoration technology, the invention sets a behavior capture module to respectively extract different behavior elements such as API and system call behaviors, process behaviors, file and registry operations, network behaviors and the like which are involved in the operation period of the binary sample, and the behavior capture module is used for advanced continuous threat detection and attribution judgment. The system collects and processes different types of sample operation behaviors in the form of behavior monitoring plug-ins, and each behavior monitoring plug-in captures logs and data files formed by corresponding behaviors based on a pile-in technology to form a return result. The extracted specific behavior information is as follows:

File and registry operations: recording related operations of the file, setting inserting pile points when the file is opened, read, written and closed, and outputting a file operation detailed information list such as operation types, file paths, operation results and the like; capturing registry creation, reading, writing, deleting, and the like.

Process behavior: and setting a pile insertion point when the process is created and ended, and collecting returned process list, process state, process memory mapping and process tree information.

Network communication behavior: the stub is set at the time of network request initiation and response reception, capturing network traffic packets, and related protocol and port information. Monitoring communications for a particular port or protocol may be configured.

API and system call behavior: recording various API functions called by the sample in operation, including functions in a system library and a third party library; setting a plug point when a specific system call occurs, recording the system call of an operating system level, collecting information such as a system call name, a number, parameters, a return value and the like, outputting a system call sequence, a call frequency, parameters of the specific call and a result report, and understanding the interaction mode of a sample and the operating system.

Memory access behavior: all memory accesses to a particular memory region are monitored, usage after memory allocation and release is tracked, and a physical memory dump file is created at a specified location.

Other actions: for example, specific strings are searched in memory and disk to identify specific data patterns or critical information, such as hard-coded keys, files, paths, etc., that are involved in the execution of malicious code samples, in order to find sensitive data or identify malicious behavior.

Based on the kernel instrumentation engine of the operating system and the behavior capturing module, the invention can collect the monitoring log without installing related monitoring software in the attacker, thereby not only effectively avoiding the interference of the attacker on the attacker who installs various security monitoring software in the attacker, but also comprehensively recording all attack processes of the attacker.

3) Log post-processing module

The invention designs a log post-processing module, which supports the storage, indexing and analysis of various log files output by the behavior capturing module. On the one hand, key information reports are written according to important clue information in the log, and include IoC information such as a time line for malicious code sample execution, important system call and file operation, key network activity behavior, network connection, domain name and host IP, special character strings and the like. And generating a Yara detection rule file based on the key information for efficiently identifying the specific type of malicious code sample. Meanwhile, the system provides full-log searching capability, can quickly locate specific sample operation log entries based on key information, and is convenient for deep manual analysis. On the other hand, through carrying out data statistics and association analysis on logs of different types of behaviors, the overall behavior mode of the advanced continuous threat can be modeled, a multidimensional mapping rule is constructed based on the extracted behavior mode, the sample behaviors are mapped to specific ATT & CK attack stages and technical tactics, an attribution judging method of the specific advanced continuous threat is formed, and the behavior mode and attribution process are displayed in multiple angles through a chart, a tree diagram and other visual methods, so that the attack process can be understood more intuitively.

4) Snapshot management module

Snapshot management is a system level record of each scene in the attack stage, and the attack scene snapshots can be replayed as required. The method comprehensively judges the current attack execution stage of the sample based on the sample running time, the monitoring information of system call, file operation and network behavior and the activity log. For each attack stage, the invention creates a snapshot for the client at a specific execution point, and retains the full system state of the client at that moment, including memory, CPU state and device new state. Such as before and after critical actions occur (e.g., key file reads and writes, registry key modifications, triggering specific system calls, etc.), before and after communicating with the C2 control server, etc., before and after the sample begins execution.

The invention creates a plurality of snapshots at different stages of sample execution, can record a plurality of events and respectively stores the complete system state when in creation. Replay of a snapshot of a particular execution point, restoration of the virtual machine to a particular historical state, and observation and analysis of system behavior starting at this point in time can help to understand in depth the behavior patterns of malware samples and advanced persistent threats. Meanwhile, the method can support the jump of the time point, and the jump to the specific time point in the record is convenient for analyzing the specific event.

Based on the criticality and uniqueness of the captured malware behavior, the importance of the snapshot is evaluated for periodically checking the freshness and value of the stored snapshot, thereby forming snapshot retention and deletion rules to control storage overhead.

In conclusion, the digital substitution method provided by the invention is used as a novel risk defense means, and has a wide prospect. Based on the idea that the 'replacement' replaces the 'body', the APT attack initiated by the real business system can be effectively relieved, and meanwhile, high-value data resources such as logs and samples are provided for the development of threat detection and defense tools. In addition, the development of the technology will promote the innovation of the related fields, such as Gao Jiaohu honeypots, simulation technology, data desensitization, network attack behavior analysis and the like.

The potential application fields of the present invention are broad and relate to, but are not limited to, the following: first, network systems such as national critical infrastructure can be protected from APT attacks. In addition, the enterprise can be helped to protect intellectual property and sensitive data of the enterprise, and defend against advanced network attacks on the enterprise. In general, the digital proxy technology provided by the invention not only can remarkably improve the defending capability against APT attacks, but also can provide a new view angle and tools for research and product development in the field of network security, and is expected to play an important role in the future network security market.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. The specification and embodiments are to be regarded as exemplary only, and the disclosure is not limited to the exact construction illustrated and described above, and various modifications and changes may be made without departing from the scope thereof.

Claims

1. A digital stand-by defense system design method for advanced persistent threats, the method comprising:

Full-chain simulation is carried out on the process related to the advanced continuous threat attack based on the view angle of an attacker so as to generate a working state that the digital proxy defense system faces the advanced continuous threat attack; the process related to the advanced persistent threat attack comprises a process of acquiring desensitized data and decoy data by the advanced persistent threat attack, and the process related to the advanced persistent threat attack is subjected to full-chain simulation based on an attacker view angle, and the process comprises the following steps:

acquiring an advanced persistent threat sample;

obtaining a behavior mode, an attack strategy and a data stealing target of an attacker by analyzing the data recorded by the C2 and the sample weapon simulator;

2. The method of claim 1, wherein the constructing a data unidirectional transmission path between the real business system and the digital proxy defense system comprises:

Establishing a simulation isolation area based on a data security and network security protection technology between a real service system and a digital proxy defense system so as to realize unidirectional synchronous access control of files; wherein, the data security and network security protection technique includes: network access control techniques, quarantine data security control techniques, and quarantine access control techniques.

3. The method according to claim 1, wherein the extracting and processing the behavioral elements in the working state by code instrumentation and information flow collection in the digital avatar defense system to record the attack process of the advanced persistent threat attack comprises:

4. A method according to claim 3, wherein the behavioral elements comprise: file and registry operations, process behavior, network communication behavior, API and system call behavior, and memory access behavior;

and/or the number of the groups of groups,

5. A method according to claim 3, wherein, after extracting behavioral elements involved in the running of the advanced persistent threat attack to form a log and a data file according to the kernel-level control and information flow, further comprising:

6. A method according to claim 3, wherein, after extracting behavioral elements involved in the running of the advanced persistent threat attack to form a log and a data file according to the kernel-level control and information flow, further comprising:

7. The method of claim 3, wherein the instrumentation-based code, after collecting kernel-level control and information flows within the business simulation system, further comprises:

8. A digital stand-by defense system design apparatus for advanced persistent threats, the apparatus comprising:

The full-chain simulation module is used for carrying out full-chain simulation on the process related to the advanced continuous threat attack based on the view angle of an attacker so as to generate the working state of the digital proxy defense system facing the advanced continuous threat attack; the process related to the advanced persistent threat attack comprises a process of acquiring desensitized data and decoy data by the advanced persistent threat attack, and the process related to the advanced persistent threat attack is subjected to full-chain simulation based on an attacker view angle, and the process comprises the following steps:

acquiring an advanced persistent threat sample;