Journal of Information Security Reserach ›› 2023, Vol. 9 ›› Issue (5): 423-.

Previous Articles     Next Articles

Research on Active Defense Method of Network Security Under APT Organization Attack Behavior


  • Online:2023-05-01 Published:2023-04-29



  1. (国网思极网安科技(北京)有限公司互联网业务部北京102209)
  • 通讯作者: 殷树刚 博士,教授级高级工程师.主要研究方向为网络安全、信息安全.
  • 作者简介:殷树刚 博士,教授级高级工程师.主要研究方向为网络安全、信息安全. 李祉岐 硕士,高级工程师.主要研究方向为网络安全、信息安全. 刘晓蕾 硕士,高级工程师.主要研究方向为网络安全、信息安全. 李宁 初级工程师.主要研究方向为网络安全、信息安全. 林寅伟 硕士,初级工程师.主要研究方向为网络安全、信息安全.

Abstract: At present, the international situation is complex and changeable, new social conflicts and contradictions are constantly arising in the transition period of the domestic society, and hostile forces are trying in vain to destroy the Critical Information Infrastructures (CII) of our country,  resulting in adverse social impacts. The existing defense measures based on the existing network attack detection and defense are not flexible and require high comprehensiveness of the defense system. Therefore, this thesis proposes an active defense method for electric power industry network security based on attack behaviors. By analyzing the attack behavior of attackers, combines ATT&CK attack framework model to carry out intermittent attack attempts against Advanced Persistent Threat (APT) organizations through layer upon layer forwarding of a large number of springboard nodes. Until the breakthrough and springboard node are found, the attack behavior and problems that may occur before or during the attack. The springboard, organization or personal information of the attacker at all levels is discovered in advance, and the attack behavior is discovered and blocked in advance in the stage of the attacker’s reconnaissance, so as to realize the active defense against the attack behavior.

Key words: electric power, active defense, traceability, network security, APT organization

摘要: 当前国际形势复杂多变,国内社会转型期不断产生新的社会冲突和矛盾,各敌对势力妄图破坏我国关键信息基础设施,造成不良社会影响.现有基于已发生的网络攻击进行检测防御的防御措施缺乏灵活性,且对防御体系的全面性要求极高.因此,提出一种基于攻击行为的电力行业网络安全主动防御方法.经实验验证,该方法通过对攻击者的攻击行为进行分析,结合 ATT&CK攻击框架模型,针对高级可持续性威胁(advanced persistent threat, APT)组织通过大量跳板节点层层转发进行间断性的攻击尝试,直到找到突破口和跳板节点,在攻击前或者攻击中可能出现行为和结果的问题,提前发现攻击者的各级跳板、组织或个人信息,在攻击者实施踩点阶段提前发现攻击行为,预先阻断,实现了对攻击行为的主动防御.

关键词: 电力, 主动防御, 溯源, 网络安全, APT组织

CLC Number: