Design And Implementation Of APT Network Attack Detection Platform Based On Multi-information Sources

As the value of information growing,a series of attacks against stealing information assets continue to occur,one of the biggest threats to enterprises is advanced persistent attack.The Keypoint to detect APT Treat is to detect network attacks and deep-analysis data traffic.This thesis has carried on the thorough analysis to the common APT attack process and the defense method,and presents a model for detecting the attack behavior and system design based on the characteristics of each stage of the APT attack life cycle.The main work is as follows:(1)Through the study of a large number of published APT event posts,diging out a lot of common points in the APT events,stages of the APT attack life cycle and the dimensions of the APT attack are summarized.(2)Pointing on the hiddenness of APT attacks,this thsis proposed a "security filter funnel" filtering the network traffic layer by layer to find the hidden suspect data in the massive network data,these separate clues can be linked to form evidence to prove the chain of evidence.(3)Analyzing the actual demand of the enterprise and design a set of detection platform for network attack according to the "security funnel model" combined with open source tools,(4)At the end of this thesis,2 common APT attack processes are taken as examples to simulate the whole life cycle of the attack in the experimental network,and the key clues of the network attacks behavior are found in the detection platform,and the adaptability and availability of the platform are proved in the results.This thsis designs the effective analysis and detection platform by using the cooperative security incident management system concept and the cooperative security mechanism,designs the three-dimensional traceable and continuous defense technology,and builds the unified intelligence analysis system conbines the different security devices to improve the traditional detection methods.Through the configurable intrusion detection analysis model,the original independent,trivial log information is collected,classified,classified,stored,and finally the extending perceptual ability,improveing the quality of the security alarm and detecting the common network attack behaviors.