Reading: 16894
With the diversification and complexity of network threat forms and the challenge of apt attack, the new generation threat not only spreads faster, but also uses more and more broad attack areas, which can cover mobile, desktop, network, web, various applications, social networks, etc. in the new normal, the information provided to users only by traditional nips / NIDS devices can no longer meet the needs of current customers Need, specialization, systematization, intelligence and so on are becoming more and more critical; especially with the development of Internet and the improvement of user experience demand, it is more necessary to show the whole dynamic attack process to customers directly through big data analysis of network threat behavior.
In order to meet the needs of customers, simplify the operation process of the equipment, improve the customers' intuitive feeling of the attack process, and adapt to the change of threat perception under the new normal, we need to make a new adjustment to the division dimension of the traditional nips vulnerability rules, combined with a complete solution, to get rid of the stateless statistical situation of a single event and single alarm displayed to customers by the traditional nips equipment. By re dividing the vulnerability rules according to the attack chain of the event, combining with the log analysis of the new classification alarm of the rules by the data processing center, using the intelligent potential analysis module to present the whole process of the attack to the customers from the perspective of big data analysis in five stages (detection scanning, penetration attack, attack invasion, installation tools and malicious behavior).
When it comes to the new normal, what is it? The new normal is "Xi style hot words". "New" is "different from the old"; "normal" is the inherent state; new normal is different from the past, trend and irreversible development state. What is the new normal of network security threats? It is to rely on the integration of large-scale security intelligence system and professional and intelligent big data analysis module, and make full use of the data-driven security mode to realize the all-weather, all-round, multi-dimensional, three-dimensional network security threat perception solution of "man machine ground cloud".
Alarm problems of traditional equipment
Alarm log is the first-hand intuitive alarm information displayed to users after the device detects the intrusion. Based on the different access level of network equipment, the number of alarm logs is different, which will be several orders of magnitude. In order to improve the overall effect of threat perception, it is necessary to transform and improve the manifestation of network threat space form, realize the extension from virtual to entity, and complete the grasp from part to whole; through the analysis of alert log, focus on the global threat situation, and start a new paradigm of threat perception, then the analysis of alert log is very important, and it is very important for alert log The analysis includes the classification of alarm logs, the dimension of which directly affects the identification and judgment of alarm logs by customers, and then affects the presentation effect of threat situation awareness.
Traditional device vulnerability rule category
At present, there are thousands of device rule entries. Rule classification is closely related to the rational configuration of policy. In traditional nips, rules are classified according to multiple dimensions, realizing the transformation of rules from disorder to order, including attack category, protocol category, service type, technical means, threat degree, etc. the following figure shows two types of classification forms:
Traditional device vulnerability rules
Display of equipment alarm information
The alarm mode of "one attack one report" after the equipment generates alarm is relatively single.
One attack
Shortcomings of traditional equipment classification
The traditional nips classification only classifies the rules according to the attack type, attack type and other single level, stateless. The attack display can not grasp the attack process as a whole, can not directly display the attack effect, can not lead the user to make a judgment on the attack behavior, and can not adapt to the current network security defense scheme driven by big data.
Threat awareness system
In order to build a threat awareness situation under the new normal, a new warning log analysis platform is formed with new rules as the leading role, new classification as the basis and attack chain as the leading role, subversive and stateful attack detection and early warning scheme is formed with the change and upgrade of network attack behavior, and thorough change is made based on objective and diversified attack patterns Change the single point threat warning mode of "one attack one report" in the inherent thinking mode of human beings, realize the transformation of thinking mode, and then promote the improvement of product quality, solution and user experience; combine the user's demand for comprehensive control of dynamic threat perception, from the perspective of big data mining, through intelligent data analysis, truly jump out of the traditional nips detection warning mode Finally, the solution of threat perception situation under the new normal is realized.
Rule classification standard based on attack chain model
The classification of rules will ultimately affect the subsequent construction of the whole attack chain and the effect of threat perception. To adapt to the new attack behavior and attack techniques, the existing rules are divided into five attack stages: detection scanning stage, penetration attack stage, capture invasion stage, installation tool stage and malicious behavior stage.
- Detection scanning stage. It includes the scanning of the target by the attacker before the attack, including network scanning, system scanning, port scanning, vulnerability scanning, etc. the scanning behavior is the preparation stage of the attack invasion. Through information collection, the system and vulnerability information of the target machine can be mastered, and the effect of half the effort for further invasion attack can be achieved.
- Penetration attack stage. In this stage, the target machine has been scanned, or directly attacked, including using stack and heap vulnerabilities, using web system platform vulnerabilities, logic configuration errors, memory damage vulnerabilities, etc., to launch attacks on the target host.
- Attack and invasion stage. This stage indicates that the target host has not been successfully attacked by the hacker. Next, the attacker can do what he wants to do. For example, FTP login is successful, telnet guess is successful, and so on.
- Installation tools stage refers to the installation of malware, Trojan horse program or direct mount etc. in the target host after the attacker successfully enters the target host, through these malicious tools to realize the control link with the hacker, download other malware, etc.
- Malicious behavior stage. That is, after the attacker installs the malicious software on the target host, the malicious behaviors generated by the malicious software on the target host include controlling the links, conducting malicious operations on the host, etc.
Attack techniques
Exhibition mode
In order to better and more intuitively show the duration and timing of each stage and event of the attack, the following forms can be used:
Timing 1
New normal threat perception system
With the new classification, we need to combine data mining and data analysis technology to show the whole attack process of attackers to users more intuitively and visually, which includes attack source IP, target IP, exploit vulnerability, attack times, attack stage. The classified alarm information generated by the equipment is uploaded to the data processing center BSA, which completes data mining and analysis, and displays the results to the user in a visual form. Relying on the integration of massive data and professional and intelligent big data analysis modules, and making full use of the data-driven security mode, we can realize the all-weather, all-round, multi-dimensional and three-dimensional network security threat perception solution of "man-machine ground cloud".
New normal threat perception system
Threat perception effect under big data analysis
In order to make users more intuitive perception of the attack situation, the big data processing center has formed a variety of renderings to dynamically perceive the network attack behavior in terms of time and number of attacks.
Threat perception effect
In order to present more attack information to users, the information of attack warning is classified into different events, including one-to-one attack, one to many attack, many to one attack and other forms. At the same time, the attack times, attack events and other information in unit time are displayed. It provides a visual display mode for users to understand and master the overall situation of the attack in time.
Attack 1
Attack curve formed by attack characteristics of different attacks in different time periods
Curve 1
For attack IP merging statistics:
IP circular
Attack tracing after association analysis:
Analysis 1
Aiming at a series of attack behaviors of the target host, through the analysis of the alarm log, the attack behaviors are visualized in five different stages at different times, so as to intuitively feel the various behaviors of the affected system. Different colors in the figure represent different attack stages. Through the graphical representation mode, the attack state of the target host can be clearly understood.
Attack purpose
Dynamic perception focuses on global attack behavior. Through specialized and intelligent big data mining, it analyzes, finds, traces and restores the whole attack process, finds out the weak points of security, and finally deploys countermeasures, improves the main defense capability covering known and unknown threats, and nips the hidden dangers in the bud.
The figure shows that in the data processing center, with global multi-point support and classified alarm log as the core, it focuses on data visualization and supports multi-level data extraction of network architecture, displays network risk situation from multiple perspectives such as attack source, attack type and attack target, provides comprehensive and in-depth threat situation awareness early warning, and also provides help for users to make timely response strategies.
Screenshot of attack situation
summary
The Internet makes everything connected. Because of the interconnection, the security risk comes with it. Since the birth of the Internet, network security and Pandora's magic box have been closely linked. In particular, people's deep dependence on big data, cloud computing and mobile Internet, ranging from energy and transportation infrastructure to daily necessities of life, are all Internet free and security risks are increasing unprecedentedly. The traditional IPS detection method is no longer suitable for the change of network threat in the form of big data driven under the state of interconnection of everything. Relying on the integration of the new pattern rule classification model with the global massive data and professional and intelligent big data mining and analysis modules, making full use of the data-driven security mode, presenting the visual detection and early warning platform for users in the form of global coverage, multi-point reporting and multi-level interconnection, and realizing the all-weather, all-round, multi-dimensional and three-dimensional "man-machine ground cloud" Network security threat awareness solution.
Situation awareness related video
English version: http://blog.nsfocus.net/attack-chain-based-thread-aware-system/