threat awareness system based on attack chain

Posted by fierce at 2020-02-27

Reading: 16894

With the diversification and complexity of network threat forms and the challenge of apt attack, the new generation threat not only spreads faster, but also uses more and more broad attack areas, which can cover mobile, desktop, network, web, various applications, social networks, etc. in the new normal, the information provided to users only by traditional nips / NIDS devices can no longer meet the needs of current customers Need, specialization, systematization, intelligence and so on are becoming more and more critical; especially with the development of Internet and the improvement of user experience demand, it is more necessary to show the whole dynamic attack process to customers directly through big data analysis of network threat behavior.

In order to meet the needs of customers, simplify the operation process of the equipment, improve the customers' intuitive feeling of the attack process, and adapt to the change of threat perception under the new normal, we need to make a new adjustment to the division dimension of the traditional nips vulnerability rules, combined with a complete solution, to get rid of the stateless statistical situation of a single event and single alarm displayed to customers by the traditional nips equipment. By re dividing the vulnerability rules according to the attack chain of the event, combining with the log analysis of the new classification alarm of the rules by the data processing center, using the intelligent potential analysis module to present the whole process of the attack to the customers from the perspective of big data analysis in five stages (detection scanning, penetration attack, attack invasion, installation tools and malicious behavior).

When it comes to the new normal, what is it? The new normal is "Xi style hot words". "New" is "different from the old"; "normal" is the inherent state; new normal is different from the past, trend and irreversible development state. What is the new normal of network security threats? It is to rely on the integration of large-scale security intelligence system and professional and intelligent big data analysis module, and make full use of the data-driven security mode to realize the all-weather, all-round, multi-dimensional, three-dimensional network security threat perception solution of "man machine ground cloud".

Alarm problems of traditional equipment

Alarm log is the first-hand visual alarm information displayed to users after the device detects the intrusion. Based on the different access level of network equipment, the number of alarm logs is different, which will be several orders of magnitude. In order to improve the overall effect of threat perception, it is necessary to transform and improve the manifestation of network threat space form, realize the extension from virtual to entity, and complete the grasp from part to whole; through the analysis of alert log, focus on the global threat situation, and start a new paradigm of threat perception, then the analysis of alert log is very important, and it is very important for alert log The analysis includes the classification of alarm logs, the dimension of which directly affects the identification and judgment of alarm logs by customers, and then affects the presentation effect of threat situation awareness.

Traditional device vulnerability rule category

At present, there are thousands of device rule entries. Rule classification is closely related to the rational configuration of policy. In traditional nips, rules are classified according to multiple dimensions, realizing the transformation of rules from disorder to order, including attack category, protocol category, service type, technical means, threat degree, etc. the following figure shows two types of classification forms:

Traditional device vulnerability rules

Display of equipment alarm information

The alarm mode of "one attack one report" after the equipment generates alarm is relatively single.

One attack

Shortcomings of traditional equipment classification

The traditional nips classification only classifies the rules according to the attack type, attack type and other single level, stateless. The attack display can not grasp the attack process as a whole, can not directly display the attack effect, can not lead the user to make a judgment on the attack behavior, and can not adapt to the current network security defense scheme driven by big data.

Threat awareness system

In order to build a threat awareness situation under the new normal, a new warning log analysis platform is formed with new rules as the leading role, new classification as the basis and attack chain as the leading role, subversive and stateful attack detection and early warning scheme is formed with the change and upgrade of network attack behavior, and thorough change is made based on objective and diversified attack patterns Change the single point threat warning mode of "one attack one report" in the inherent thinking mode of human beings, realize the transformation of thinking mode, and then promote the improvement of product quality, solution and user experience; combine the user's demand for comprehensive control of dynamic threat perception, from the perspective of big data mining, through intelligent data analysis, truly jump out of the traditional nips detection warning form Finally, the solution of threat perception situation under the new normal is realized.

Rule classification standard based on attack chain model

The classification of rules will ultimately affect the subsequent construction of the whole attack chain and the effect of threat perception. To adapt to the new attack behavior and attack techniques, the existing rules are divided into five attack stages: detection scanning stage, penetration attack stage, capture invasion stage, installation tool stage and malicious behavior stage.

Attack techniques

Exhibition mode

In order to better and more intuitively show the duration and timing of each stage and event of the attack, the following forms can be used:

Timing 1

New normal threat perception system

With the new classification, we need to combine data mining and data analysis technology to show the whole attack process of attackers to users more intuitively and visually, which includes attack source IP, target IP, exploit vulnerability, attack times, attack stage. The classified alarm information generated by the equipment is uploaded to the data processing center BSA, which completes data mining and analysis, and displays the results to the user in a visual form. Relying on the integration of massive data and professional and intelligent big data analysis modules, and making full use of the data-driven security mode, we can realize the all-weather, all-round, multi-dimensional and three-dimensional network security threat perception solution of "man-machine ground cloud".

New normal threat perception system

Threat perception effect under big data analysis

In order to make users more intuitive perception of the attack situation, the big data processing center has formed a variety of renderings to dynamically perceive the network attack behavior in terms of time and number of attacks.

Threat perception effect

In order to present more attack information to users, the information of attack warning is classified into different events, including one-to-one attack, one to many attack, many to one attack and other forms. At the same time, the attack times, attack events and other information in unit time are displayed. It provides a visual display mode for users to understand and master the overall situation of the attack in time.

Attack 1

Attack curve formed by attack characteristics of different attack behaviors in different time periods

Curve 1

For attack IP merging statistics:

IP circular

Attack tracing after association analysis:

Analysis 1

In view of a series of attack behaviors of the target host, through the analysis of the alarm log, the attack behaviors are visualized in five different stages at different times, so as to intuitively feel the various behaviors of the affected system. Different colors in the figure represent different attack stages. Through the graphical representation mode, the attack state of the target host can be clearly understood.

Attack purpose

Dynamic perception focuses on global attack behavior. Through specialized and intelligent big data mining, it analyzes, finds, traces and restores the whole attack process, finds out the weak points of security, and finally deploys countermeasures, improves the main defense capability covering known and unknown threats, and nips the hidden dangers in the bud.

The figure shows that in the data processing center, with global multi-point support and classified alarm log as the core, it focuses on data visualization and supports multi-level data extraction of network architecture, displays network risk situation from multiple perspectives such as attack source, attack type and attack target, provides comprehensive and in-depth threat situation awareness early warning, and also provides help for users to make timely response strategies.

Screenshot of attack situation


The Internet makes everything connected. Because of the interconnection, the security risk comes with it. Since the birth of the Internet, network security and Pandora's magic box have been closely linked. In particular, people's deep dependence on big data, cloud computing and mobile Internet, ranging from energy and transportation infrastructure to daily necessities of life, are all Internet free and security risks are increasing unprecedentedly. The traditional IPS detection method is no longer suitable for the change of network threat in the form of big data driven under the state of interconnection of everything. Relying on the integration of the new pattern rule classification model with the global massive data and professional and intelligent big data mining and analysis modules, making full use of the data-driven security mode, presenting the visual detection and early warning platform for users in the form of global coverage, multi-point reporting and multi-level interconnection, and realizing the all-weather, all-round, multi-dimensional and three-dimensional "man-machine ground cloud" Network security threat awareness solution.

Situation awareness related video

English version: