The invention relates to the field of internet applications, and in particular, to a method and device for processing a network threat.
With the development of the information society, network information security increasingly goes deep into people's lives. Frequent occurrence of information security incidents such as information leakage, data loss, and user privacy leakage, etc. will give rise to great economic loss, and will have a significant adverse effect on the society. Or even, information security incidents will endanger the national security. For example, in 2012, our secret unit found a malicious code which had lurked for seven years, and in May, 2013, multiple South Korea's banks and TV stations encountered hacker attacks and the network was paralyzed over a large area.
With the development of science and technology, network threats have new characteristics. New network threats gradually realize a property transformation from practical jokes to commercial interests, a sponsor transformation from individuals to gang organizations, and a technological transformation from common viruses/Trojans to advanced persistent threats (APT for short hereinafter). These transformations cause the network information security to suffer a greater threat. For a new network threat, not only its means is covert, but also the security defense system in the prior art can not grasp its vulnerability and technique. Therefore, the traditional security defense system can not take corresponding technical means to solve the new network threat, which results in that information on people's production and lives suffers more serious security threats, and yet once these security threats happen in reality, a devastating impact which it is difficult to estimate will be caused to the economy, the society, or even the national security.
In view of the above problems, the invention is proposed to provide a method for processing a network threat and a corresponding device, which overcome the above problems or at least in part solve the above problems.
According to an aspect of the invention, there is provided a method for processing a network threat comprising: listening for a network access behavior of a network device and acquiring a network datagram; analyzing the acquired network datagram to extract metadata; and detecting the metadata and determining an attack behavior, wherein the attack behavior comprises a known attack behavior and/or an unknown attack behavior.
According to another aspect of the invention, there is further provided a device for processing a network threat comprising: a listening module configured to listen for a network access behavior of a network device and acquire a network datagram; a data extraction module configured to analyze the acquired network datagram to extract metadata; and a determination module configured to detect the metadata and determine an attack behavior, wherein the attack behavior comprises a known attack behavior and/or an unknown attack behavior.
According to still another aspect of the invention, there is provided a computer program comprising a computer readable code which causes a computing device to perform the method for processing a network threat described above, when said computer readable code is running on the computing device.
According to yet still another aspect of the invention, there is provided a computer readable medium storing therein the computer program as described above.
According to the method for processing a network threat provided by embodiments of the invention, it can be possible to listen for a network access behavior of a network device, acquire a network datagram, extract metadata by analyzing the network datagram, and determine a known or unknown attack behavior according to detection of the metadata, which solves the problem in the prior art that the vulnerability and technique of a new network threat (comprising a known attack and an unknown attack) cannot be grasped, and then a corresponding technical means cannot be adopted to solve the new network threat. The method for processing a network threat provided by the embodiments of the invention acquires a network datagram by listening for a network access behavior of a network device in real time, can find out information such as a vulnerability attack of an unknown attack and the covert channel of the unknown attack, etc. dynamically according to the acquired network datagram, and can detect the unknown attack rapidly. In addition, the embodiments of the invention store the acquired network datagram to form historical data of a big data level, and perform analysis & mining on the big data, and then can detect an advanced covert attack, which is an effective means of performing supplementary detection on an attack missed due to the limitations of the prior art. From the above, by employing the method for processing a network threat provided by the embodiments of the invention, a new network threat, including a known attack behavior and an unknown attack behavior, can be found in time, and then a user is enabled to take a processing measure for the found new network threat, achieving the beneficial effect of ensuring that the people's production and lives and even the national security are free from network information security threats.
The above description is merely an overview of the technical solutions of the invention. In the following particular embodiments of the invention will be illustrated in order that the technical means of the invention can be more clearly understood and thus may be embodied according to the content of the specification, and that the foregoing and other objects, features and advantages of the invention can be more apparent.
Various other advantages and benefits will become apparent to those of ordinary skills in the art by reading the following detailed description of the preferred embodiments. The drawings are only for the purpose of showing the preferred embodiments, and are not considered to be limiting to the invention. And throughout the drawings, like reference signs are used to denote like components. In the drawings:
In the following the invention will be further described in connection with the drawings and the particular embodiments.
It is mentioned in the related art that for a new network threat, not only its means is covert, but also the security defense system in the prior art can not grasp its vulnerability and technique. Therefore, the traditional security defense system can not take corresponding technical means to solve the new network threat, which results in that information on people's production and lives suffers more serious security threats, and yet once these security threats happen in reality, a devastating impact which it is difficult to estimate will be caused to the economy, the society, or even the national security.
To solve the above technical problem, an embodiment of the invention proposes a method for processing a network threat.
At the step S102, the network access behavior of a network device is listened and a network datagram is acquired.
At the step S104, the acquired network datagram is analyzed to extract metadata.
At the step S106, the metadata is detected and an attack behavior is determined, wherein the attack behavior comprises a known attack behavior and/or an unknown attack behavior.
According to the method for processing a network threat provided by the embodiment of the invention, it can be possible to listen for the network access behavior of a network device, acquire a network datagram, extract metadata by analyzing the network datagram, and determine a known or unknown attack behavior according to detection of the metadata, which solves the problem in the prior art that the vulnerability and technique of a new network threat (comprising a known attack and an unknown attack) cannot be grasped, and then a corresponding technical means cannot be adopted to solve the new network threat. The method for processing a network threat provided by the embodiment of the invention acquires a network datagram by listening for the network access behavior of a network device in real time, can find out information such as a vulnerability attack of an unknown attack and the covert channel of the unknown attack, etc. dynamically according to the acquired network datagram, and can detect the unknown attack rapidly. In addition, the embodiment of the invention stores the acquired network datagram to form historical data of a big data level, and performs analysis & mining on the big data, and then can detect an advanced covert attack, which is an effective means of performing supplementary detection on an attack missed due to the limitations of the prior art. From the above, by employing the method for processing a network threat provided by the embodiment of the invention, a new network threat, including a known attack behavior and an unknown attack behavior, can be found in time, and then a user is enabled to take a processing measure for the found new network threat, achieving the beneficial effect of ensuring that the people's production and lives and even the national security are free from network information security threats.
It is mentioned in the above that embodiments of the invention can detect an attack behavior of a network threat and process it in time. As shown in
Now, the method for processing a network threat which is applied in the local detection engine 220 is taken as an example to introduce a method for processing a network threat provided by an embodiment of the invention.
After a network datagram is acquired, step S306 is performed to analyze the network datagram. In an embodiment of the invention, analysis of the acquired network datagram may be to analyze the source network address of the network datagram, or also may be to analyze the destination address of the network datagram. Preferably, in an embodiment of the invention, to be able to detect and process an attack behavior in the network datagram accurately in subsequent operations, the acquired network datagram is classified when analyzing the acquired network datagram. Moreover, for each class, the embodiment of the invention selects a corresponding policy to detect an attack behavior. When classifying the acquired network datagram, an embodiment of the invention may classify the network datagram according to the source address or the destination address or any other information, and select a corresponding policy to detect an attack behavior according to the classification result. Since according to the data of a network datagram, the network datagram can be classified more comprehensively and accurately, preferably, in an embodiment of the invention, acquired data is divided into a file-typed datagram and/or a non-file-typed datagram according to the attributes of individual network datagrams. That is, according to analysis of the acquired network datagram, the network datagram may be a file-typed datagram, may be a non-file-typed datagram, or also may be a combination of a file-typed datagram and a non-file-typed datagram.
After the network datagram is classified, step S308 as shown in
In addition, as shown at step S316 in
After detecting metadata and determining an attack behavior according to the processing flow of the method for processing a network threat as shown in
In the above, a method for processing a network threat provided by an embodiment of the invention has been introduced according to the flow chart as shown in
First, the real-time analysis module will be introduced.
Next, the sandbox detection module will be introduced.
After the static detection is finished, if an attack code is detected, it is determined that the file has a malicious behavior, and then corresponding processing is conducted. If a static attack code is not detected, semi-dynamic and dynamic detection is performed on the file utilizing a sandbox. As shown in
After finishing introduction of the real-time analysis module and the sandbox detection module, the known/unknown attack detection module will be introduced. After the acquired network datagram is judged to be a non-file-typed datagram, an embodiment of the invention detects a known/unknown attack behavior based on the principle of network abnormal behavior detection. As shown in
In addition, when conducting the above mentioned establishment of a network abnormal behavior model, an embodiment of the invention uses stored network datagrams. It is mentioned when introducing a method for processing a network threat provided by an embodiment of the invention, that in an embodiment of the invention, full flow storage is performed for the captured network datagram, and when the order of magnitude of the stored network datagrams arrives at big data level, for a determined attack behavior, the attack behavior may be backtracked based on big data analysis. Therefore, in the following, first, the attack detection & backtracking module which is based on big data analysis will be introduced, and second, that stored network datagrams are used to establish a network abnormal behavior model will be introduced.
In the attack detection & backtracking module which is based on big data analysis as shown in
After introducing the attack detection & backtracking module which is based on big data analysis,
For example, in an embodiment of this application, a server receives an active access of a client, and provides various response services for the client. The server will only actively initiate an access behavior in limited situations, for example, to acquire a system patch, and the like. If in a listened flow, the server actively accesses a European DNS (Domain Name System) server, then the access operation of the server is inconsistent with its historical data behaviors, which shows that a suspicious behavior exists, and further detection needs to be performed.
In the above, a method for processing a network threat provided by an embodiment of the invention and specific module information therein have been introduced. To elaborate a method for processing a network threat provided by an embodiment of the invention more intuitively and clearly, now, a specific embodiment will be provided.
Based on the method for processing a network threat provided by the above individual preferred embodiments, and based on one and the same inventive concept, an embodiment of the invention provides a device for processing a network threat, which is used for the method for processing a network threat.
Now, functions of individual devices or components and a connection relationship between individual parts of the device for processing a network threat of the embodiment of the invention will be introduced.
The listening module 1910 is configured to listen for the network access behavior of a network device and acquire a network datagram.
The data extraction module 1920 is coupled to the listening module 1910 and configured to analyze the acquired network datagram to extract metadata.
The determination module 1930 is coupled to the data extraction module 1920 and configured to detect the metadata and determine an attack behavior, wherein the attack behavior comprises a known attack behavior and/or an unknown attack behavior.
According to the method for processing a network threat provided by embodiments of the invention, it can be possible to listen for the network access behavior of a network device, acquire a network datagram, extract metadata by analyzing the network datagram, and determine a known or unknown attack behavior according to detection of the metadata, which solves the problem in the prior art that the vulnerability and technique of a new network threat (comprising a known attack and an unknown attack) cannot be grasped, and then a corresponding technical means cannot be adopted to solve the new network threat. The method for processing a network threat provided by the embodiments of the invention acquires a network datagram by listening for the network access behavior of a network device in real time, can find out a vulnerability attack of an unknown attack and the covert channel of the unknown attack, dynamically according to the acquired network datagram, and can detect the unknown attack rapidly. In addition, the embodiments of the invention store the acquired network datagram to form historical data of a large data level, and perform analysis & mining on the large data, and then can detect an advanced covert attack, which is an effective means of performing supplementary detection on an attack missed due to the limitations of the prior art. From the above, by employing the method for processing a network threat provided by the embodiments of the invention, a new network threat, including a known attack behavior and an unknown attack behavior, can be found in time, and then a user is enabled to take a processing measure for the found new network threat, achieving the beneficial effect of ensuring that the people's production and lives and even the national security are free from network information security threats.
In a preferred embodiment, the data extraction module 1920 is further configured to
classify the acquired network datagram; and
select a corresponding policy to detect an attack behavior for each class.
In a preferred embodiment, the data extraction module 1920 is further configured to divide acquired data into a file-typed datagram and/or a non-file-typed datagram according to the attributes of individual network datagrams.
In a preferred embodiment, the data extraction module 1920 is further configured to, for a file-typed datagram, restore it to a file; and
detect the restored file, to detect whether the file has a malicious behavior.
In a preferred embodiment, the data extraction module 1920 is further configured to utilize a sandbox detection mode to detect the restored file.
In a preferred embodiment, the data extraction module 1920 is further configured to
detect whether the file has a malicious behavior based on the principle of network abnormal behavior detection.
In a preferred embodiment, the data extraction module 1920 is further configured to,
for a non-file-typed datagram,
detect an attack behavior based on the principle of network abnormal behavior detection.
In a preferred embodiment, the data extraction module 1920 is further configured to extract network behavior information of metadata;
conduct multidimensional network behavior statistics for the network behavior information;
establish a network abnormal behavior model utilizing decision tree classification rules according to the statistical result; and
use the network abnormal behavior model to determine an attack behavior.
In a preferred embodiment, the device for processing a network threat further comprises:
a backup module 1940 configured to perform full flow storage for a captured network datagram for use for subsequent analysis.
In a preferred embodiment, the backup module 1940 is further configured to perform attack detection based on big data analysis on stored network datagrams to determine an attack behavior when the order of magnitude of the stored network datagrams arrives at big data level; and/or
for a determined attack behavior, backtrack the attack behavior based on big data analysis.
In a preferred embodiment, the operation of backtracking the attack behavior based on big data analysis comprises at least one of the following:
locating an attack source of the attack behavior;
restoring an access behavior corresponding to the attack behavior; and
restoring access content corresponding to the attack behavior.
In a preferred embodiment, the device for processing a network threat further comprises:
an upgrade module 1950 configured to, after detecting metadata and determining an attack behavior, upgrade a security means used on the network device according to an unknown attack behavior, such that it can defend against the unknown attack behavior.
In a preferred embodiment, after determining an attack behavior, alarm information (e.g., an attacked terminal, an attack source, an attack sample, etc.) is generated and transmitted to a security defense means on the network device for further detection and killing by the security defense means.
In a preferred embodiment, detecting metadata and determining an attack behavior comprises: detecting metadata and determining an attack behavior via a local detection engine and/or a cloud detection engine.
In a preferred embodiment, the local detection engine is employed preferably (in some environments, for example, when an external network cannot be connected to), and when an attack behavior cannot be determined, it is sent to the cloud detection engine for further detection. At this point, the cloud detection engine acts as a complement to the local detection engine.
According to any one of the above preferred embodiments or a combination of the above multiple preferred embodiments, embodiments of the invention can achieve the following beneficial effects:
According to the method for processing a network threat provided by embodiments of the invention, it can be possible to listen for the network access behavior of a network device, acquire a network datagram, extract metadata by analyzing the network datagram, and determine a known or unknown attack behavior according to detection of the metadata, which solves the problem in the prior art that the vulnerability and technique of a new network threat (comprising a known attack and an unknown attack) cannot be grasped, and then a corresponding technical means cannot be adopted to solve the new network threat. The method for processing a network threat provided by the embodiments of the invention acquires a network datagram by listening for the network access behavior of a network device in real time, can find out information such as a vulnerability attack of an unknown attack and the covert channel of the unknown attack, etc. dynamically according to the acquired network datagram, and can detect the unknown attack rapidly. In addition, the embodiments of the invention store the acquired network datagram to form historical data of a large data level, and perform analysis & mining on the large data, and then can detect an advanced covert attack, which is an effective means of performing supplementary detection on an attack missed due to the limitations of the prior art. From the above, by employing the method for processing a network threat provided by the embodiments of the invention, a new network threat, including a known attack behavior and an unknown attack behavior, can be found in time, and then a user is enabled to take a processing measure for the found new network threat, achieving the beneficial effect of ensuring that the people's production and lives and even the national security are free from network information security threats.
In the specification provided herein, a plenty of particular details are described. However, it can be appreciated that an embodiment of the invention may be practiced without these particular details. In some embodiments, well known methods, structures and technologies are not illustrated in detail so as not to obscure the understanding of the specification.
Similarly, it shall be appreciated that in order to simplify the disclosure and help the understanding of one or more of all the inventive aspects, in the above description of the exemplary embodiments of the invention, sometimes individual features of the invention are grouped together into a single embodiment, figure or the description thereof. However, the disclosed methods should not be construed as reflecting the following intention, namely, the claimed invention claims more features than those explicitly recited in each claim. More precisely, as reflected in the following claims, an aspect of the invention lies in being less than all the features of individual embodiments disclosed previously. Therefore, the claims complying with a particular implementation are hereby incorporated into the particular implementation, wherein each claim itself acts as an individual embodiment of the invention.
It may be appreciated to those skilled in the art that modules in a device in an embodiment may be changed adaptively and arranged in one or more device different from the embodiment. Modules or units or assemblies may be combined into one module or unit or assembly, and additionally, they may be divided into multiple sub-modules or sub-units or subassemblies. Except that at least some of such features and/or procedures or units are mutually exclusive, all the features disclosed in the specification (including the accompanying claims, abstract and drawings) and all the procedures or units of any method or device disclosed as such may be combined employing any combination. Unless explicitly stated otherwise, each feature disclosed in the specification (including the accompanying claims, abstract and drawings) may be replaced by an alternative feature providing an identical, equal or similar objective.
Furthermore, it can be appreciated to the skilled in the art that although some embodiments described herein comprise some features and not other features comprised in other embodiment, a combination of features of different embodiments is indicative of being within the scope of the invention and forming a different embodiment. For example, in the following claims, any one of the claimed embodiments may be used in any combination.
Embodiments of the individual components of the invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that, in practice, some or all of the functions of some or all of the components in a device for processing a network threat according to individual embodiments of the invention may be realized using a microprocessor or a digital signal processor (DSP). The invention may also be implemented as a device or apparatus program (e.g., a computer program and a computer program product) for carrying out a part or all of the method as described herein. Such a program implementing the invention may be stored on a computer readable medium, or may be in the form of one or more signals. Such a signal may be obtained by downloading it from an Internet website, or provided on a carrier signal, or provided in any other form.
For example,
“An embodiment”, “the embodiment” or “one or more embodiments” mentioned herein implies that a particular feature, structure or characteristic described in connection with an embodiment is included in at least one embodiment of the invention. In addition, it is to be noted that, examples of a phrase “in an embodiment” herein do not necessarily all refer to one and the same embodiment.
It is to be noted that the above embodiments illustrate rather than limit the invention, and those skilled in the art may design alternative embodiments without departing the scope of the appended claims. In the claims, any reference sign placed between the parentheses shall not be construed as limiting to a claim. The word “comprise” does not exclude the presence of an element or a step not listed in a claim. The word “a” or “an” preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of a hardware comprising several distinct elements and by means of a suitably programmed computer. In a unit claim enumerating several apparatuses, several of the apparatuses may be embodied by one and the same hardware item. Use of the words first, second, and third, etc. does not mean any ordering. Such words may be construed as naming.
Furthermore, it is also to be noted that the language used in the description is selected mainly for the purpose of readability and teaching, but not selected for explaining or defining the subject matter of the invention. Therefore, for those of ordinary skills in the art, many modifications and variations are apparent without departing the scope and spirit of the appended claims. For the scope of the invention, the disclosure of the invention is illustrative, but not limiting, and the scope of the invention is defined by the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
201410053974.6 | Feb 2014 | CN | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/CN2014/095678 | 12/30/2014 | WO | 00 |