Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

APT detection method based on matching of flow fingerprint and communication features

A technology of communication features and detection methods, applied in electrical components, transmission systems, etc., can solve problems such as being difficult to be detected in advance, and achieve the effect of improving detection accuracy and speed of discovery

Inactive Publication Date: 2018-11-16
成都康乔电子有限责任公司 +1
View PDF3 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Many security protection companies around the world have conducted long-term analysis and research on APT attacks, and have given detection reports on the characteristics of APT. The report shows that an APT attack event usually includes six main processes and lasts for a long time. During the period of data collection in the early stage and the intrusion and data acquisition stage in the later stage, various attack methods will be used, because these attack methods are usually carried out with viruses automatically generated by software, which results in multiple matching attacks in the attack process. characteristics, which are difficult to detect in advance

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • APT detection method based on matching of flow fingerprint and communication features
  • APT detection method based on matching of flow fingerprint and communication features
  • APT detection method based on matching of flow fingerprint and communication features

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0022] It should be noted that, in the case of no conflict, the embodiments of the present invention and the features in the embodiments can be combined with each other.

[0023] Specific embodiments of the invention will be described in detail below.

[0024] A kind of APT detection method based on traffic fingerprint and communication feature matching, comprises the following steps:

[0025] Use sniff to collect traffic data, then use pyshark to analyze network packets, obtain source and destination IP addresses, source and destination ports, protocol types, and traffic packet sizes in traffic packets, and save traffic fingerprints including the above metadata to form network traffic Fingerprint library; the hardware system corresponding to this step is defined as the traffic feature extraction module;

[0026] Select URLs and HOSTs of well-known websites in the Internet and websites that are often used in daily life to build a communication feature library; the corresp...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an APT detection method based on the matching of a flow fingerprint and communication features, and the method comprises the steps: obtaining and storing a flow fingerprint of anetwork flow to form a network flow fingerprint database; building a communication feature database; carrying out the layer-by-layer analysis of a captured data packet according to the TCP / IP protocol; carrying out the abnormal flow detection, and performing the matching of the communication features of the flow packet with the communication feature database according to the comparison of the calculated flow fingerprint feature information entropy and a fingerprint baseline; and carrying out the comparison of the abnormal flow communication features with the features in an APT communication feature database. The method achieves the quick analysis of the network flow through a flow analysis method, obtains the network flow fingerprint and the communication features, judges whether the network flow is abnormal or not through a communication feature matching result and a flow fingerprint feature baseline change result, improves the discovery speed of the abnormal flow, performs the matching of the communication features of the abnormal flow with the APT communication feature database, judges whether the abnormality is an APT attack or not, and greatly improves the APT attack detection precision.

Description

technical field [0001] The invention belongs to the technical field of APT attack detection, and in particular relates to an APT detection method based on traffic fingerprint and communication feature matching. Background technique [0002] Analyzing the network through traffic is now relatively mature and has become the mainstream method for detecting the network. By capturing network traffic and then analyzing it, it is possible to identify various states of the network. In our daily work and life, network traffic is in a normal state most of the time, and there is only a small probability that abnormalities will occur. Therefore, using most The difference between the normal situation and the occurrence of anomalies can detect the occurrence of anomalies in the network in time. Many security protection companies around the world have conducted long-term analysis and research on APT attacks, and have given detection reports on the characteristics of APT. The report shows t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06
CPCH04L63/14H04L63/1416H04L63/1425H04L63/1441
Inventor 刘丹李广阅王永松
Owner 成都康乔电子有限责任公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com