CN110149319B - APT organization tracking method and device, storage medium and electronic device - Google Patents
APT organization tracking method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN110149319B CN110149319B CN201910346170.8A CN201910346170A CN110149319B CN 110149319 B CN110149319 B CN 110149319B CN 201910346170 A CN201910346170 A CN 201910346170A CN 110149319 B CN110149319 B CN 110149319B
- Authority
- CN
- China
- Prior art keywords
- address
- apt
- domain name
- information
- organization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000008520 organization Effects 0.000 title claims abstract description 137
- 238000000034 method Methods 0.000 title claims abstract description 43
- 230000002085 persistent effect Effects 0.000 claims abstract description 9
- 238000004590 computer program Methods 0.000 claims description 18
- 230000000694 effects Effects 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 13
- 238000005516 engineering process Methods 0.000 claims description 11
- 230000001154 acute effect Effects 0.000 claims 1
- 208000029078 coronary artery disease Diseases 0.000 claims 1
- 244000035744 Hura crepitans Species 0.000 description 17
- 238000004458 analytical method Methods 0.000 description 14
- 230000003068 static effect Effects 0.000 description 10
- 238000001514 detection method Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 230000007123 defense Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000010219 correlation analysis Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明提供了一种APT组织的追踪方法及装置、存储介质、电子装置,其中,该方法包括:确定恶意样本的关联IP地址;追踪所述关联IP地址,以及与所述关联IP地址关联的域名信息;根据所述关联IP地址和/或所述域名信息判断所述恶意样本是否为高级持续性威胁APT组织投递的攻击样本。通过本发明,解决了相关技术中不能根据恶意样本追踪APT组织的技术问题。
The present invention provides an APT organization tracking method and device, storage medium, and electronic device, wherein the method includes: determining the associated IP address of a malicious sample; tracking the associated IP address, and the associated IP address associated with the associated IP address. Domain name information; according to the associated IP address and/or the domain name information, determine whether the malicious sample is an attack sample delivered by an advanced persistent threat APT organization. The present invention solves the technical problem in the related art that the APT organization cannot be traced according to malicious samples.
Description
Technical Field
The invention relates to the field of network security, in particular to an APT organization tracking method and device, a storage medium and an electronic device.
Background
The network attack is an attack initiated by a hacker or a virus trojan and the like on the electronic equipment, and brings huge loss to a user by stealing files and the like.
When the Advanced Persistent Threat (APT) group is traced and discovered, context correlation analysis is mainly carried out according to attacks such as malicious files, phishing mails and the like in network propagation. An attacker utilizes a malicious program to carry out intrusion control on a network and an information system, so that the purposes of stealing sensitive data and destroying the system and the network environment are achieved, and the detection rate and the batch analysis capability of malicious samples spread in an enterprise network are urgently needed to be improved.
In the related art, network attacks are becoming more specialized and targeted in the field of computer security. In the face of such attack events, overall knowledge of the attack events is often lacked, but defense of the attack events is also achieved respectively, and a good defense system is not formed. Such as APT (advanced persistent threat) attacks or "seismic net" viruses, which are targeted and only aggressive to a particular industry or to certain target systems. However, no scheme is available at present, when the attack events occur in a small range, threat information can be obtained in advance, and early warning and defense can be carried out in a large range. Resulting in a lag in the defense against network attacks.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides an APT organization tracking method and device, a storage medium and an electronic device.
According to an embodiment of the present invention, there is provided an APT tracking method, including: determining an associated IP address of a malicious sample; tracking the associated IP address and domain name information associated with the associated IP address; and judging whether the malicious sample is an attack sample delivered by an APT organization according to the associated IP address and/or the domain name information.
Optionally, before determining whether the malicious sample is an attack sample delivered by an advanced persistent threat APT organization according to the associated IP address and/or the domain name information, the method further includes: entering identity information of the APT organization into a graph database, wherein the graph database comprises at least one of: historical access IP address, historical access domain name, APT organization alias, region where the APT organization is located, common language of the APT organization, attacker type, attack capability, earliest activity time, historical activity time, attack frequency, attack mode, attack range, attack region, responsible country, description information and attack tactical technology.
Optionally, the determining, according to the associated IP address and/or the domain name information, whether the malicious sample is an attack sample delivered by an advanced persistent threat APT organization includes: judging whether a preset domain name list of the APT organization contains the domain name information, and/or judging whether a preset IP address range of the APT organization contains the associated IP address, and/or judging whether the preset IP address range of the APT organization contains the associated IP address; when a preset domain name list of an APT organization contains the domain name information and/or a preset IP address range of the APT organization contains the associated IP address, determining that the malicious sample is an attack sample delivered by the APT organization, and taking context information of the malicious sample as identity information of the APT organization to be recorded into a graph database; and when the preset domain name list of the APT organization does not contain the domain name information and/or the preset IP address range of the APT organization does not contain the associated IP address, determining that the malicious sample is not an attack sample delivered by the APT organization.
Optionally, entering the context information of the malicious sample as the identity information of the APT organization into a graph database includes: analyzing family member information of the malicious sample; and taking the malicious sample and the historical access domain name and the historical resolution address of the family member information as the identity information of the APT organization to be recorded into a graph database.
Optionally, entering the context information of the malicious sample as the identity information of the APT organization into a graph database includes: taking the message digest algorithm MD5 node information of the malicious sample as a route extension to obtain IOC associated information of the malicious sample, wherein the IOC associated information comprises: historical access IP addresses and historical access domain names; and taking the IOC correlation information as the identity information of the APT organization to be recorded into a graph database.
According to another embodiment of the present invention, there is provided an apparatus for tracking APT tissue, including: the determining module is used for determining the associated IP address of the malicious sample; the tracking module is used for tracking the associated IP address and the domain name information associated with the associated IP address; and the judging module is used for judging whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information.
Optionally, the apparatus further comprises: the entry module is used for entering the identity information of the APT organization into a graph database before the judgment module judges whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information, wherein the graph database comprises at least one of the following components: historical access IP address, historical access domain name, APT organization alias, region where the APT organization is located, common language of the APT organization, attacker type, attack capability, earliest activity time, historical activity time, attack frequency, attack mode, attack range, attack region, responsible country, description information and attack tactical technology.
Optionally, the determining module includes: the judging unit is used for judging whether a preset domain name list organized by the APT contains the domain name information and/or judging whether a preset IP address range organized by the APT contains the associated IP address; the processing unit is used for determining the malicious sample as an attack sample delivered by the APT organization when a preset domain name list of the APT organization contains the domain name information and/or a preset IP address range of the APT organization contains the associated IP address, and recording context information of the malicious sample as identity information of the APT organization into a graph database; and when the preset domain name list of the APT organization does not contain the domain name information and/or the preset IP address range of the APT organization does not contain the associated IP address, determining that the malicious sample is not an attack sample delivered by the APT organization.
Optionally, the processing unit includes: the analysis subunit is used for analyzing the family member information of the malicious sample; and the first entry subunit is used for taking the malicious sample and the historical access domain name and the historical resolution address of the family member information as the identity information of the APT organization to be entered into a graph database.
Optionally, the processing unit includes: a prolongation subunit, configured to perform prolongation by using the message digest algorithm MD5 node information of the malicious sample to obtain IOC association information of the malicious sample, where the IOC association information includes: historical access IP addresses and historical access domain names; and the second recording subunit is used for recording the IOC related information into a graph database as the identity information of the APT organization.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the invention, the associated IP address of the malicious sample is determined, then the associated IP address and the domain name information associated with the associated IP address are tracked, whether the malicious sample is an attack sample which threatens APT organization delivery in a high-grade continuous manner is judged according to the associated IP address and/or the domain name information, the context analysis operation is carried out on the associated information system through monitoring the possibly influenced user, the influenced IP and the IP of an attacker are continuously tracked and recorded, the attack sample delivered by the APT organization can be tracked, and the technical problem that the APT organization cannot be tracked according to the malicious sample in the related technology is solved. The analysis, tracking and positioning capacity of operation and analysis personnel on malicious samples is greatly improved, and the tracking of the identity information of APT attackers by security personnel is greatly facilitated.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a block diagram of a hardware configuration of an APT-organized tracking server according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for tracking APT tissue according to an embodiment of the present invention;
FIG. 3 is a complete business logic diagram of an embodiment of the present invention;
FIG. 4 is a business flow diagram of an embodiment of the invention;
fig. 5 is a block diagram of an apparatus for tracking APT tissue according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method provided by the first embodiment of the present application may be executed in a server or a similar computing device. Taking the example of running on a server, fig. 1 is a block diagram of a hardware structure of an APT tracking server according to an embodiment of the present invention. As shown in fig. 1, the server 10 may include one or more (only one shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration, and is not intended to limit the structure of the server. For example, the server 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program and a module of an application software, such as a computer program corresponding to an APT tracking method in an embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory located remotely from processor 102, which may be connected to server 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In the present embodiment, a method for tracking APT tissue is provided, and fig. 2 is a flowchart of a method for tracking APT tissue according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, determining the associated IP address of the malicious sample;
the malicious sample in this embodiment refers to a code, software, a program, a file, and the like that attacks hardware, software, and data in the system of the network system by using vulnerabilities and security flaws existing in the network or the hardware entity.
Step S204, tracking the associated IP address and domain name information associated with the associated IP address;
step S206, judging whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information.
Through the steps, the associated IP address of a malicious sample is determined, then the associated IP address and the domain name information associated with the associated IP address are tracked, whether the malicious sample is an attack sample which threatens APT organization delivery in a high-level continuous manner or not is judged according to the associated IP address and/or the domain name information, context analysis operation is carried out on the associated information system through monitoring of a possibly influenced user, the influenced IP and an attacker IP are continuously tracked and recorded, the attack sample delivered by the APT organization can be tracked, and the technical problem that APT organization cannot be tracked according to the malicious sample in the related technology is solved. The analysis, tracking and positioning capacity of operation and analysis personnel on malicious samples is greatly improved, and the tracking of the identity information of APT attackers by security personnel is greatly facilitated.
In this embodiment, before determining whether the malicious sample is an attack sample delivered by an advanced persistent threat APT organization according to the associated IP address and/or the domain name information, the method further includes: entering identity information of the APT organization into a graph database, wherein the graph database comprises at least one of: historical access IP address, historical access domain name, APT organization alias, region where the APT organization is located, common language of the APT organization, attacker type, attack capability, earliest activity time, historical activity time, attack frequency, attack mode, attack range, attack region, responsible country, description information and attack tactical technology.
Optionally, the determining, according to the associated IP address and/or the domain name information, whether the malicious sample is an attack sample delivered by an advanced persistent threat APT organization includes: judging whether a preset domain name list of the APT organization contains the domain name information and/or judging whether a preset IP address range of the APT organization contains the associated IP address; when a preset domain name list of an APT organization contains the domain name information and/or a preset IP address range of the APT organization contains the associated IP address, determining that the malicious sample is an attack sample delivered by the APT organization, and taking context information of the malicious sample as identity information of the APT organization to be recorded into a graph database; and when the preset domain name list of the APT organization does not contain the domain name information and/or the preset IP address range of the APT organization does not contain the associated IP address, determining that the malicious sample is not an attack sample delivered by the APT organization.
The IP address and the domain name information are two dimensions, and as long as one of the domain name information or the associated IP address falls in a preset domain name list or a preset IP address range of the APT organization, the domain name can be considered as the domain name under attack group-partner control, or the IP address is the IP address under attack group-partner control, which indicates that the sample is a malicious sample delivered by a certain APT organization. In some cases, in a scenario with a higher security level, it is required that domain name information falls on a preset domain name list of an APT organization, and an associated IP address also falls within a preset IP address range, so that the sample is determined to be a malicious sample delivered by the APT organization. On the other hand, when the IP address does not fall within the preset IP address range and the domain name information does not fall within the preset domain name list, determining that the malicious sample is not an attack sample delivered by the APT organization; or the IP address does not fall in a preset IP address range or the domain name information does not fall in a preset domain name list, namely determining that the malicious sample is not an attack sample delivered by the APT organization.
In an implementation manner of this embodiment, the taking context information of the malicious sample as the identity information entry graph database of the APT organization includes: analyzing family member information of the malicious sample; and taking the malicious sample and the historical access domain name and the historical resolution address of the family member information as the identity information of the APT organization to be recorded into a graph database.
In another implementation manner of this embodiment, the using the context information of the malicious sample as the identity information entry graph database of the APT organization includes: taking the message digest algorithm MD5 node information of the malicious sample as a route extension to obtain IOC associated information of the malicious sample, wherein the IOC associated information comprises: historical access IP addresses and historical access domain names; and taking the IOC correlation information as the identity information of the APT organization to be recorded into a graph database.
An APT analysis method based on malicious samples in the embodiment relates to the field of computer information security. Generally speaking, malicious information extracted from mass files is provided, and related ATP organization IOC (Indicators of compliance, attack and sink Indicators, or intrusion Indicators) and TTP (Tactics, technologies, and products, means and technology processes) information maintenance (for example, by extracting, labeling, and metadata extracting, processing, extracting related APT organization information and related context information, and recording related information such as Tactics and Tactics) from the IOC indicator information features of each query, and metadata extraction management is performed on the mail samples and the malicious file samples, so as to provide sample identification and result display of malicious samples and malicious mail information. And simultaneously recording the IP and the attack process information of the affected user, recording the attack activity and the context information in the data storage platform, and performing correlation analysis on the interaction of the file sample. By the method, attack analysis and operation of APT (android package) gangues are performed on the malicious samples, so that the attack gangues are found and continuously tracked, and the sample analysis and operation efficiency is greatly improved by the device.
In a complete implementation of this embodiment, the following functional modules are included, and according to time sequence, the following functional modules are respectively: the system comprises a network collector, a static sandbox, a dynamic sandbox, a high-pair-resistance sandbox cluster, an information matching module and an event response module.
A network collector: sample input is butted in an automatic mode, such as mail attachments are delivered, original files are automatically delivered in batches and uploaded to a sandbox interface;
static sandbox: the sample file is firstly subjected to static detection through the static sandbox, and the static rules of the malicious file are matched. Information acquisition is performed by extracting file metadata, including file name, file type matching degree, file size, MD5 (Message-Digest Algorithm), SHA (Secure Hash Algorithm) 1, SHA256, SHA512, SSDeep, and the like. Meanwhile, the files are detected and screened through an OWL (Ontology Language) static engine rule;
dynamic sandbox: simulating dynamic execution, analyzing the host behavior, obtaining a network behavior and a screenshot in operation, and simultaneously capturing network flow and a sample;
high-confrontation sandbox clustering: storing mass data and information of each detection result, and simultaneously storing file type data, wherein historical data and file type data related to all sandbox results are stored in a cluster;
the information matching module: the sandbox detection module matches the IOC result, obtains family information, an accessed malicious domain name and a historical resolution address after associating the context, and can more accurately position the family information of a malicious sample and APT group association analysis. For example, by searching a certain malicious sample in a sandbox, associating threat intelligence information and WHOIS (a transmission protocol for searching information such as IP (Internet protocol) of a domain name and an owner) historical information, all information related to the file can be provided;
an event response module: and counting and processing the result of the current analysis sample, providing case management and event association, and performing secondary production of information under the real-time update of each engine and detection rule.
Fig. 3 is a complete service logic diagram of the embodiment of the present invention, and fig. 4 is a service flow diagram of the embodiment of the present invention, including:
the flow collection process is responsible for automatically collecting and delivering collected samples in batches, and mainly comprises a flow collector and a sample collector;
sandbox detection process: the method comprises a static detection sandbox and a dynamic detection sandbox. The text semantic analysis and screening are carried out by adopting a static OWL filtering extraction engine through a high-countermeasure sandbox cluster, wherein a static OWL rule is used for detecting and extracting text data based on semantic and File meta-information, the OWL engine can identify File types, corresponding meta-information data is extracted according to various File types, such as the number of sections of PE (Portable Executable), whether a signature exists, what the signature exists, and PDB (Program Database File) paths, and the sections are delivered to corresponding static and dynamic sandboxes;
data storage and response flow: and the method is responsible for APT family information association of the sandbox and case warehousing, and produces new information.
Optionally, the execution subject of the above steps may be a cloud server or a local server connected to one or more clients or servers, and the clients may be mobile terminals, PCs, and the like, but are not limited thereto.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
The present embodiment further provides a tracking apparatus for APT organization, which may be a server, and the apparatus is used to implement the foregoing embodiments and preferred embodiments, and the description of the apparatus is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 5 is a block diagram of an apparatus for tracking APT organization according to an embodiment of the present invention, which may be applied in a server, as shown in fig. 5, the apparatus includes: a determination module 50, a tracking module 52, a decision module 54, wherein,
a determining module 50 for determining an associated IP address of a malicious sample;
a tracking module 52, configured to track the associated IP address and domain name information associated with the associated IP address;
and the judging module 54 is configured to judge whether the malicious sample is an attack sample delivered by an advanced persistent threat APT organization according to the associated IP address and/or the domain name information.
Optionally, the apparatus further comprises: the entry module is used for entering the identity information of the APT organization into a graph database before the judgment module judges whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information, wherein the graph database comprises at least one of the following components: historical access IP address, historical access domain name, APT organization alias, region where the APT organization is located, common language of the APT organization, attacker type, attack capability, earliest activity time, historical activity time, attack frequency, attack mode, attack range, attack region, responsible country, description information and attack tactical technology.
Optionally, the determining module includes: the judging unit is used for judging whether a preset domain name list organized by the APT contains the domain name information and/or judging whether a preset IP address range organized by the APT contains the associated IP address; the processing unit is used for determining the malicious sample as an attack sample delivered by the APT organization when a preset domain name list of the APT organization contains the domain name information and/or a preset IP address range of the APT organization contains the associated IP address, and recording context information of the malicious sample as identity information of the APT organization into a graph database; and when the preset domain name list of the APT organization does not contain the domain name information and/or the preset IP address range of the APT organization does not contain the associated IP address, determining that the malicious sample is not an attack sample delivered by the APT organization.
Optionally, the processing unit includes: the analysis subunit is used for analyzing the family member information of the malicious sample; and the first entry subunit is used for taking the malicious sample and the historical access domain name and the historical resolution address of the family member information as the identity information of the APT organization to be entered into a graph database.
Optionally, the processing unit includes: a prolongation subunit, configured to perform prolongation by using the message digest algorithm MD5 node information of the malicious sample to obtain IOC association information of the malicious sample, where the IOC association information includes: historical access IP addresses and historical access domain names; and the second recording subunit is used for recording the IOC related information into a graph database as the identity information of the APT organization.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, determining the associated IP address of the malicious sample;
s2, tracking the associated IP address and domain name information associated with the associated IP address;
and S3, judging whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, determining the associated IP address of the malicious sample;
s2, tracking the associated IP address and domain name information associated with the associated IP address;
and S3, judging whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (10)
1. A method for tracking APT (acute coronary artery disease) tissues, comprising the following steps:
determining an associated IP address of a malicious sample;
tracking the associated IP address and domain name information associated with the associated IP address;
judging whether the malicious sample is an attack sample delivered by an APT organization according to the associated IP address and/or the domain name information;
wherein, the judging whether the malicious sample is an attack sample delivered by an APT organization according to the associated IP address and/or the domain name information comprises:
judging whether a preset domain name list of the APT organization contains the domain name information and/or judging whether a preset IP address range of the APT organization contains the associated IP address;
and when the preset domain name list of the APT organization contains the domain name information and/or the preset IP address range of the APT organization contains the associated IP address, determining the malicious sample as an attack sample delivered by the APT organization.
2. The method according to claim 1, wherein before determining whether the malicious sample is an attack sample delivered by an APT (advanced persistent threat) organization according to the associated IP address and/or the domain name information, the method further comprises:
entering identity information of the APT organization into a graph database, wherein the graph database comprises at least one of: historical access IP address, historical access domain name, APT organization alias, region where the APT organization is located, common language of the APT organization, attacker type, attack capability, earliest activity time, historical activity time, attack frequency, attack mode, attack range, attack region, responsible country, description information and attack tactical technology.
3. The method according to claim 1, wherein after determining whether the preset domain name list of the APT organization includes the domain name information and/or determining whether the preset IP address range of the APT organization includes the associated IP address, the method further comprises:
when a preset domain name list of an APT organization does not contain the domain name information and/or a preset IP address range of the APT organization does not contain the associated IP address, determining that the malicious sample is not an attack sample delivered by the APT organization;
after determining that the malicious sample is an attack sample delivered by the APT organization when the preset domain name list of the APT organization contains the domain name information and/or the preset IP address range of the APT organization contains the associated IP address, the method further includes:
and taking the context information of the malicious sample as the identity information of the APT organization to be recorded into a graph database.
4. The method of claim 3, wherein entering context information of the malicious sample as identity information of the APT organization into a graph database comprises:
analyzing family member information of the malicious sample;
and taking the malicious sample and the historical access domain name and the historical resolution address of the family member information as the identity information of the APT organization to be recorded into a graph database.
5. The method of claim 3, wherein entering context information of the malicious sample as identity information of the APT organization into a graph database comprises:
taking the message digest algorithm MD5 node information of the malicious sample as a route extension to obtain IOC associated information of the malicious sample, wherein the IOC associated information comprises: historical access IP addresses and historical access domain names;
and taking the IOC correlation information as the identity information of the APT organization to be recorded into a graph database.
6. An apparatus for tracking APT tissue, comprising:
the determining module is used for determining the associated IP address of the malicious sample;
the tracking module is used for tracking the associated IP address and the domain name information associated with the associated IP address;
the judging module is used for judging whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information;
wherein, the judging module comprises:
the judging unit is used for judging whether a preset domain name list organized by the APT contains the domain name information and/or judging whether a preset IP address range organized by the APT contains the associated IP address;
and the processing unit is used for determining the malicious sample as an attack sample delivered by the APT organization when the preset domain name list of the APT organization contains the domain name information and/or the preset IP address range of the APT organization contains the associated IP address.
7. The apparatus of claim 6, further comprising:
the entry module is used for entering the identity information of the APT organization into a graph database before the judgment module judges whether the malicious sample is an attack sample delivered by the APT organization according to the associated IP address and/or the domain name information, wherein the graph database comprises at least one of the following components: historical access IP address, historical access domain name, APT organization alias, region where the APT organization is located, common language of the APT organization, attacker type, attack capability, earliest activity time, historical activity time, attack frequency, attack mode, attack range, attack region, responsible country, description information and attack tactical technology.
8. The apparatus of claim 6, wherein the determining module comprises:
the processing unit is further used for determining the malicious sample as an attack sample delivered by the APT organization when a preset domain name list of the APT organization contains the domain name information and/or a preset IP address range of the APT organization contains the associated IP address, and recording context information of the malicious sample as the identity information of the APT organization into a graph database; and when the preset domain name list of the APT organization does not contain the domain name information and/or the preset IP address range of the APT organization does not contain the associated IP address, determining that the malicious sample is not an attack sample delivered by the APT organization.
9. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 5 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910346170.8A CN110149319B (en) | 2019-04-26 | 2019-04-26 | APT organization tracking method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910346170.8A CN110149319B (en) | 2019-04-26 | 2019-04-26 | APT organization tracking method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110149319A CN110149319A (en) | 2019-08-20 |
| CN110149319B true CN110149319B (en) | 2021-11-23 |
Family
ID=67594632
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910346170.8A Active CN110149319B (en) | 2019-04-26 | 2019-04-26 | APT organization tracking method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110149319B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110659493A (en) * | 2019-09-25 | 2020-01-07 | 哈尔滨安天科技集团股份有限公司 | Method and device for generating threat alarm mode, electronic equipment and storage medium |
| CN111225079B (en) * | 2019-12-31 | 2024-03-05 | 苏州三六零智能安全科技有限公司 | Method, device, storage medium and device for positioning geographical position of malicious software author |
| US11645566B2 (en) * | 2020-03-09 | 2023-05-09 | International Business Machines Corporation | Methods and systems for graph computing with hybrid reasoning |
| CN115701027A (en) * | 2021-07-29 | 2023-02-07 | 国网山东省电力公司信息通信公司 | Network security tracing method and device based on multidimensional aggregation and storage medium |
| CN114285627B (en) * | 2021-12-21 | 2023-12-22 | 安天科技集团股份有限公司 | Flow detection method and device, electronic equipment and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104579819A (en) * | 2014-12-03 | 2015-04-29 | 北京奇虎科技有限公司 | Network security detection method and device |
| CN105430001A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | APT attack detection method, terminal equipment, server and system |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际系统应用有限公司 | Association analysis method and association analysis system |
| CN108259449A (en) * | 2017-03-27 | 2018-07-06 | 新华三技术有限公司 | A kind of method and system for defending APT attacks |
| CN108446559A (en) * | 2018-02-13 | 2018-08-24 | 北京兰云科技有限公司 | A kind of recognition methods of APT tissue and device |
| CN108573146A (en) * | 2017-03-07 | 2018-09-25 | 华为技术有限公司 | A malicious URL detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10375110B2 (en) * | 2016-05-12 | 2019-08-06 | Attivo Networks Inc. | Luring attackers towards deception servers |
| US10205738B2 (en) * | 2016-07-12 | 2019-02-12 | Cisco Technology, Inc. | Advanced persistent threat mitigation |
-
2019
- 2019-04-26 CN CN201910346170.8A patent/CN110149319B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104579819A (en) * | 2014-12-03 | 2015-04-29 | 北京奇虎科技有限公司 | Network security detection method and device |
| CN105430001A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | APT attack detection method, terminal equipment, server and system |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际系统应用有限公司 | Association analysis method and association analysis system |
| CN108573146A (en) * | 2017-03-07 | 2018-09-25 | 华为技术有限公司 | A malicious URL detection method and device |
| CN108259449A (en) * | 2017-03-27 | 2018-07-06 | 新华三技术有限公司 | A kind of method and system for defending APT attacks |
| CN108446559A (en) * | 2018-02-13 | 2018-08-24 | 北京兰云科技有限公司 | A kind of recognition methods of APT tissue and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110149319A (en) | 2019-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110719291B (en) | Network threat identification method and identification system based on threat information | |
| CN109829310B (en) | Similar attack defense method and device, system, storage medium, electronic device | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| US10867034B2 (en) | Method for detecting a cyber attack | |
| CN110188538B (en) | Method and device for detecting data using sandbox cluster | |
| CN108471429B (en) | Network attack warning method and system | |
| US9661003B2 (en) | System and method for forensic cyber adversary profiling, attribution and attack identification | |
| CN110995695B (en) | Abnormal account detection method and device, electronic equipment and storage medium | |
| US8683585B1 (en) | Using file reputations to identify malicious file sources in real time | |
| CN110198303A (en) | Threaten the generation method and device, storage medium, electronic device of information | |
| US20150172303A1 (en) | Malware Detection and Identification | |
| IL257849B2 (en) | Systems and methods for detecting and scoring anomalies | |
| CN115208643B (en) | A tracking and tracing method and device based on WEB dynamic defense | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| US9992216B2 (en) | Identifying malicious executables by analyzing proxy logs | |
| US11336663B2 (en) | Recording medium on which evaluating program is recorded, evaluating method, and information processing apparatus | |
| CN105430001A (en) | APT attack detection method, terminal equipment, server and system | |
| CN114817928A (en) | Cyberspace data fusion analysis method, system, electronic device and storage medium | |
| US20230379361A1 (en) | System and method for generating cyber threat intelligence | |
| CN110188537B (en) | Data separation storage method and device, storage medium, and electronic device | |
| CN110224975B (en) | Method and device for determining APT information, storage medium, and electronic device | |
| Bhardwaj et al. | Sql injection attack detection, evidence collection, and notifying system using standard intrusion detection system in network forensics | |
| CN114143105B (en) | Source tracing method and device for network air threat behavior bodies, electronic equipment and storage medium | |
| CN116614296A (en) | A honeypot deception defense method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: QAX Technology Group Inc. Address before: 100032 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |