APT attack identification and tracing technology based on threat intelligence correlation
The form of confrontation in cyberspace is becoming more complex,with artificial intelligence,evasion,intelligence gathering,social engineering,geopolitics and more.At present,IOC characteristics of threat intelligence are mainly used to iden-tify controlled host and C&C terminal connection behavior.In addition,we can trace the hacker organization through the associa-tion extension IOC.Based on the data of full traffic storage,backtracking and global APT threat intelligence monitoring,an APT attack identification and background traceability scheme based on IOC extended index,TTP rules and model association is pro-posed,which can extend the traditional detection mode based on time point to the detection mode based on historical time window,and can more fully cope with the persistence and long-term nature of APT.At the same time,it also becomes one of the effective ways to trace the background of APT organization.
full trafficthreat intelligenceIOC characteristicsTTPassociation analysis
国家科技期刊平台
NSTL
万方数据
