Collection: Advanced Persistent Threat (APT) attack detection and defense

Developer: 

ZTE Corporation

Institute of Software, Chinese Academy of Sciences

Qi An Xin Technology Group Inc.

The Advanced Persistent Threat (APT) attack is a highly dormant and highly destructive organized cyberattack by hacking organizations against high-value targets. It is one of the significant and difficult issues to handle in cyberspace governance. This project has made breakthroughs in several key technologies, such as in-depth software analysis based on hardware simulation after more than ten years of research and development and accumulated independent core technologies for APT attack detection and defense. Major technological innovations include:

○ In-depth software analysistechnology based on hardware simulation.

Aiming to satisfy the requirements in APT attack detection, this project provides a technique for dynamic analysis of software based on hardware emulation, resolving the problem of process execution semantics recovery, with detection module implemented purely in virtual hardware layer, enabling monitoring and detection with instruction/byte level analysis, innovating the way of supervising of running programs which most traditional security products supervise through operating system programming interface. It solves the problem of competition between detection tools and malicious code running in the same operating system, which lays a methodological foundation for the APT attack detection solutions and the development of products.

○ Attack detection based on the exception analysis of program execution

Aiming to detect APT attacks, this project identifies potential exploits by analyzing anomaly control transfer, examining instruction-level program behaviors. It identifies normal code regions similar to exploiting instructions and detecting attacking attempts even if the exploit fails. This project detects unknown zero-day attacks without prior information, such as vulnerability information and exploits features. The detection accuracy is much better than that of similar schemes and products. This solution is the core enabling technology of this project in APT attack detection.

○ Analysis of cyberattack based on fine-grained data flow analysis

Aiming to trace and track APT attacks, this project puts forward a dynamic data flow-based solution. This project proposes to build the data flow analysis rules through instruction self-learning and implements the whole system upon the innovative execution record and playback mechanism, enabling instruction/byte-level data flow analysis, supporting commercial data flow analysis software with a large codebase. This project effectively solves the problems of random interference in data flow analysis. It enables in-depth analysis of attack samples, which plays an important role in responding to and disposing of major APT incidents.

○ Development of products oriented towards APT attack prevention

This project has developed the KingKong system, the core engine of other products this project has built. To satisfy the needs in defense of national critical information infrastructure, deployment in large communication providers and data centers, and the requirements of large enterprise groups, this project developed a series of products, which have formed an entire platform for APT attack discovery analysis and disposal. The project's technical solution has become the first technical standard of unknown cyber threat detection accepted by ITU-T, published in January 2021.

The project has obtained 135 national invention patents, 16 software copyrights, and published 52 academic papers. The products developed by this project have been deployed in key national information infrastructure and large-scale enterprises. This project has played an important role in guaranteeing the security of numerous national events. In addition, the results of the project contribute a lot to the handling of major APT attacks, such as BlueLotus, making outstanding contributions in avoiding security losses. This project has achieved remarkable economic and social benefits.